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TITLE OF THE INVENTION 

Efficient And Compact Subgroup Trace Representation ("XTR") 
INVENTORS 

Arjen K. Lenstra and Eric. R. Verheul 
RELATED PATENT APPLICATIONS 

The following copending US Patent applications are directed to related inventions and are 
incorporated herein by reference. 

US Patent application entitled "Cyclotomic Polynomial Construction Of Discreet 
Logarithm Cryptosystems Over Finite Fields", Application No. 08/800,669, Filed: 
February 14, 1997, Applicant: Arjen K. Lenstra. 

US Patent application entitled "Generating RSA Moduli Including A Predetermined 
Portion", Application No. 09/057,176, Filed: April 8, 1998, Applicant: Arjen K. Lenstra. 

BACKGROUND OF THE INVENTION 
Field of the Invention 

The invention disclosed broadly relates to public key cryptography and more particularly 
relates to improvements in key generation and cryptographic applications in public key 
cryptography. 

Related Art 

The generation of a modulus as part of a public key according to the Rivest-Shamir- 
Adleman (RSA) cryptographic method is described in U.S. Patent No. 4,405,829 (Rivest 
et al.), "Cryptographic Communications System and Method", the disclosure of which is 
hereby incorporated by reference. In a set-up phase of the RSA scheme, a participant 
picks two prime numbers, p and q, each having a selected number of bits, such as 512 
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bits, with p not equal to q. The participant keeps p and q secret. The participant 
computes an RSA modulus n, with n = p * q. When p and q each have 512 bits, n has 
1023 or 1024 bits. The participant picks an RSA exponent e that has no factors in 
common with (p-l)(q-l). For efficiency purposes, the RSA exponent e is often chosen of 
much shorter length than the RSA modulus. When the RSA modulus n has 1024 bits, the 
RSA exponent e typically has at most 64 bits. The owning participant makes the public 
key (n, e) available to other participants. 

During operational use of the RSA scheme, other participants use the public key (n, e) to 
encrypt messages for the participant which owns that key. The owning participant is able 
to decrypt messages encrypted with the public key (n, e) due to possession of the secret 
prime numbers p and q. 

Participants must store not only the public key of other participants, but also identifying 
information such as the name, address, account number and so on of the participant 
owning each stored public key. There are problems with this situation. 
One problem with the present technique for using the RSA encryption scheme is that, 
although the RSA modulus n is 1024 bits, the amount of security provided actually 
corresponds to only 512 bits, since an attacker who knows one of p and q can readily 
obtain the other of p and q. Instead of having to store 1024 bits to obtain 512 truly secure 
bits, it is desirable to store far fewer bits, such as approximately 512 bits, to obtain the 
512 truly secure bits. 

Another problem with the present technique is that the long bit-length of the public keys 
imposes a significant bandwidth load on telecommunications devices, such as wireless 
telephone sets. It is desirable to reduce the amount of bandwidth load as much as 
possible. 

Generating RSA moduli having a predetermined portion has been considered by Scott A. 
Vanstone and Robert J. Zuccherato in "Short RSA Keys and Their Generation", J. 
Cryptology, 1995, volume 8, pages 101-114, the disclosure of which is hereby 
incorporated by reference. 

In "Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits 
Known", U. Maurer ed., EUROCRYPT '96 Proceedings, pages 178-189, Springer Verlag 
1996, the disclosure of which is hereby incorporated by reference, Don Coppersmith has 
analyzed the security of the Vanstone methods, and found that all but one of Vanstone's 
methods provide inadequate security. Specifically, for the Vanstone methods having 
predetermined high order bits, the RSA modulus n is generated in such a way that 
somewhat more than the high order ((l/4)log2 n) bits of p are revealed to the public, 
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which enables discovery of the factorization of the RSA modulus n, thus leaving the 
scheme vulnerable to attack. 



SUMMARY OF THE INVENTION 

The invention disclosed provides improvements in key generation and cryptographic 
applications in public key cryptography, by both reducing: 1) the bit-length of public 
keys and other messages, thereby reducing the bandwidth requirements of 
telecommunications devices, such as wireless telephone sets, and 2) the computational 
effort required to encrypt/decrypt and to generate/verify digital signatures. 
The method of the invention determines a public key having a reduced length and a factor 
p, using GF(p 2 ) arithmetic to achieve GF(p 6 ) security, without explicitly constructing 
GF(p 6 ). The method includes the step of selecting a number p and a prime number q that 
is a divisor of p 2 - p.+ 1. Then the method selects an element g of order q in GF(p% 
where g and its conjugates can be represented by B, where F g (X) = X 3 -BX 2 + B P X - 1 
and the roots of F g (X) are g,^" 1 , and g p . Then the method represents the powers of g 
using their trace over the field GF(p' 2 ). The method then selects a private key. The 
method then computes a public key as a function of g and the private key. The public 
key can be used to encrypt a message and the public and private key can be used to 
decrypt the message. The public and private key can be used for signing a message and 
the public key can be used for verifying the signature. A Diffie Hellman key exchange or 
other related scheme can be conducted using the public key generated by the method. 
The resulting invention reduces the bit-length of public keys and other messages, thereby 
reducing the bandwidth requirements of telecommunications devices, and reduces the 
computational effort required to encrypt/decrypt and to generate/verify digital signatures. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 is a diagram of an example network in which the invention can be carried out. 

Figure 2 is a functional block diagram of an example server computer in the network of 
Figure 1, in which the invention can be carried out. 
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Figure 3 is a functional block diagram of an example client computer in the network of 
Figure 1, in which the invention can be carried out. 

Figure 4 is a flow diagram of the method performed in a server and/or a client in the 
network of Figure 1, in accordance with the invention. 

Figure 5 is a flow diagram of the preferred embodiment of the method for selection of 
V\ and "q", as shown in section 2.1. 

Figure 6 is a flow diagram of the arithmetic method to support key generation, as shown 
in section 2.4.4. 

Figure 7 is a flow diagram of the method of key generation, as shown in section 3.3.8. 

Figure 8 is a flow diagram of the method of Diffie Hellman key exchange, as shown in 
section 4.1, using keys generated by the method of Figure 7. 

Figure 9 is a flow diagram of the method of ElGamal encryption, as shown in section 4.2, 
using keys generated by the method of Figure 7. 

Figure 1 OA is a flow diagram of the arithmetic method to support generating digital 
signatures, as shown in section 2.5.3. 

Figure 1 OB is a flow diagram of the method of generating digital signatures, as shown in 
section 4.3., using keys generated by the method of Figure 7. 
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DESCRIPTION OF THE PREFERRED EMBODIMENTS 

The Network and System Environment of the Invention 

The invention is a method, system, computer program, computer program article of 
manufacture, and business method for providing improvements in key generation and 
cryptographic applications in public key cryptography, by both reducing: 1) the bit- 
length of public keys and other messages, thereby reducing the bandwidth requirements 
of telecommunications devices, such as wireless telephone sets, and 2) the computational 
effort required to encrypt/decrypt and to generate/verify digital signatures. 

Figure 1 is a diagram of an example network in which the invention can be carried 
out. The method of the invention can be performed, for example, in a server computer 
connected over a network to a client computer. The method can also be performed, for 
example, in a client computer. Figure 1 shows a server computer 102 connected over the 
Internet network 104 to three client computers, the personal computer 106, the main 
frame computer 108, and a microprocessor in the mobile phone client 130. The mobile 
phone client 130 is connected via the mobile telephone switching office 1 10 and the radio 
frequency base station 120 to the network 104. A database 1 12 is connected to the server 
102, which stores public keys labeled (1), (2), and (3). Public key (1) was generated, in 
accordance with the method of the invention, in the personal computer client 106, and 
was transmitted over the network 104 to the server 102, for storage in the database 112. 
Public key (2) was generated, in accordance with the method of the invention, in the main 
frame client 106, and was transmitted over the network 104 to the server 102, for storage 
in the database 112. Public key (3) was generated, in accordance with the method of the 
invention, in the microprocessor of the mobile phone client 130, and was transmitted to 
the base station 120 over its radio frequency link, and via the mobile telephone switching 
office 110 and the network 104 to the server 102, for storage in the database 112. Public 
key (4) was generated, in accordance with the method of the invention, in the server 
computer 102, and was transmitted over the network 104 to each of the clients 106, 108, 
and 130. Each client 106, 108, and 130 generated, in accordance with the method of the 
invention, a private key respectively labeled (1), (2), and (3) which remains stored in the 
respective client. The server 102 generated, in accordance with the method of the 
invention, a private key labeled (4) which remains stored in the server. 
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Figure 2 is a functional block diagram of an example server computer in the network of 
Figure 1, in which the invention can be carried out. The server computer 102 includes a 
memory 202 connected by the bus 204 to the database 112, a hard drive 206, a CPU 
processor 208, and a network interface card 210 which is connected to the Internet 
network 104. The memory 202 includes an input buffer 232 and an output buffer 234. 
The memory 202 also includes a "p" buffer 236, a "q" buffer 238, a "g" buffer 240, and a 
"B" buffer 242. See sections 1, 2, and 3, below, for a discussion of the values "p", "q", 
"g", and "B". The memory 202 also includes a private key buffer 244, and a public key 
buffer 246. The memory 202 also includes a key generation program 400, whose flow 
diagram is shown in Figure 4, which operates in accordance with the method of the 
invention. The memory 202 also includes an encryption program 250 that uses the keys 
generated by the key generation program 400. The method of ElGamal encryption is 
described in section 4.2. The memory 202 also includes a digital signature signing and 
verifying program 252 that uses the keys generated by the key generation program 400. 
The arithmetic method to support generating digital signatures is described in section 
2.5.3 and the method of generating digital signatures is described in section 4.3. The 
memory 202 also includes a key exchange program 254 that uses the keys generated by 
the key generation program 400. The method of Diffie Hellman key exchange is 
described in section 4.1. The memory 202 also includes an operating system program 
220. The programs stored in the memory 202 are sequences of executable steps which, 
when executed by the CPU processor 208, perform the methods of the invention. 

Figure 3 is a functional block diagram of an example client computer in the network 
of Figure 1, such as the client 106. The client computer 106 includes a memory 302 
connected by the bus 304 to the display interface 314, the keyboard and mouse interface 
312, a hard drive 306, a CPU processor 308, and a network interface card 310 which is 
connected to the Internet network 104. The memory 302 includes an input buffer 332, an 
output buffer 334, a "p" buffer 336, a "q" buffer 338, a "g" buffer 340, a "B" buffer 342, a 
private key buffer 344, and a public key buffer 346. The memory 302 also includes the 
key generation program 400, whose flow diagram is shown in Figure 4, which operates in 
accordance with the method of the invention. The memory 302 also includes the 
encryption program 250 that uses the keys generated by the key generation program 400. 
The memory 302 also includes a digital signature signing and verifying program 252 that 
uses the keys generated by the key generation program 400. The memory 302 also 
includes a key exchange program 254 that uses the keys generated by the key generation 
program 400. The memory 302 also includes an operating system program 320 and a 
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browser program 106'. The programs stored in the memory 302 are sequences of 
executable steps which, when executed by the CPU processor 308, perform the methods 
of the invention. 

Figure 4 is a flow diagram of the method performed in either the server computer 
102 of Figure 2, or in the clients 106, 108, and/or 130 in accordance with the invention. 
Program 400 is a sequence of executable steps that embody the method of Figure 4. The 
method begins at 402 with the step 404 of selecting "q" and M p". The method continues 
with the step 406 of selecting "g". Then the method continues with the step 408 of 
representing the powers of "g" using their trace. Then the method continues with the step 
410 of selecting a private key. Then the method continues with the step 412 of 
computing a public key as a function of "g" and the private key. See sections 1, 2, and 3, 
below, for a discussion of the values "p", "q", and "g". Finally, the method concludes 
with the step 414 of using the public key and the private key in encryption and 
decryption, in digital signature signing and verification, and in key exchange and related 
applications. See section 4, below, for a discussion of these applications. 

1. Introduction 

The well known Diffie-Hellman (DH) key agreement protocol was the first practical 
solution to the key distribution problem, allowing two parties that have never met to 
establish a shared secret key by exchanging information over an open channel. In the 
basic DH scheme the two parties agree upon a generator g of the multiplicative group 
GF(p)* of a prime field GF(p) and they each send a random power of g to the other party 
(cf. Section 4 for a full description). Thus, assuming both parties know p and g, each 
party transmits about log 2 (p) bits to the other party. 

In [4] it was suggested that finite extension fields can be used instead of prime 
fields, but no direct computational or communication advantages were implied. In [8] a 
variant of the basic DH scheme was introduced where g generates a relatively small 
subgroup of GF(p)* of prime order q. This considerably reduces the computational cost of 
the DH scheme, but has no effect on the number of bits to be exchanged. In [2] it was 
shown for the first time how the use of finite extension fields and subgroups can be 
combined in such a way that the number of bits to be exchanged is reduced by a factor 3. 
More specifically, it was shown that elements of an order q subgroup of GF(p 6 )* can be 
represented using 2*log 2 (p) bits if q divides p 2 - p + 1. Despite its communication 
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efficiency, the method of [2] is rather cumbersome and computationally not particularly 
efficient. 

In this paper we present a greatly improved version of the method from [2] that 
achieves the same communication advantage at a much lower computational cost. 
Furthermore, we prove that using our method in cryptographic protocols does not affect 
their security. The best attacks we are aware of are Pollard's rho method in the order q 
subgroup, or the Discrete Logarithm variant of the Number Field Sieve in the full 
multiplicative group GF(p 6 )*. With primes p and q of about 1024/6 » 170 bits the security 
of our method is equivalent to traditional subgroup systems using 1 70-bit subgroups and 
1024-bit finite fields. But our subgroup elements can be represented using only about 
2*170 bits, which is substantially less than the 1024-bits required for their traditional 
representation. The amount of computation required by a full exponentiation in our 
method is about the same as the time required by a full scalar multiplication in a 170-bit 
Elliptic Curve cryptosystem, and thus substantially less than the time required by a full 
1024-bit RSA exponentiation. As a result our method may be regarded as a compromise 
between RSA and Elliptic Curve cryptosystems (ECC). We get security similar to RSA 
for much smaller public key sizes than RSA (though somewhat larger than ECC public 
keys), but we are not affected by the uncertainty of ECC security. Furthermore, key 
selection for our method is trivial compared to RSA, and certainly compared to ECC. 
Apart from its performance advantages, the most intriguing and innovative aspect of our 
method is that it is the first method we are aware of that uses GV(p 2 ) arithmetic to achieve 
GFO 6 ) security, without explicitly constructing GF(p 6 ). Denote by g an element of order 
q > 3 dividing p 2 - p + 1. Because p 2 - p + 1 divides the order p 6 - 1 of GF(p 6 )* this g 
can be thought of as a generator of an order q subgroup of GF(p 6 )\ As shown in [6], 
since p - p + 1 does not divide any p s - 1 for any integer s smaller than and dividing 6, 
the subgroup generated by g cannot be embedded in the multiplicative group of any true 
subfield of GF(p 6 ) (assuming q is sufficiently large). We show, however, that arbitrary 
powers of g can be represented using a single element of the subfield GF(p 2 ), that such 
powers can be computed using arithmetic operations in GF(p\ and that arithmetic in the 
extension field GF(p 6 ) can be avoided. Moreover, our exponentiation method is much 
more efficient than other published methods to compute powers of elements of order 
dividing p 2 -p + 1. 

In Section 2 we describe our method to represent and calculate powers of 
subgroup elements. In Section 3 we explain how a proper subgroup generator can 
conveniently be found using the method from Section 2. Cryptographic applications are 
given in Section 4, along with comparisons with RSA and ECC. In Section 5 we prove 
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that the security of our method is equivalent to the security offered by traditional 
subgroup approaches. Extensions of our method are discussed in Section 6. 

2. Subgroup representation and arithmetic 

2.1 System setup 

Let p = 2 mod 3 be a prime number such that 6*log 2 (p) « 1024 and such that 
$e(P) = P 2 ~P + 1 has a P rime factor ? with l°g2(tf) ^ 160. Such /> and q (or of any other 
reasonable desired size) can quickly be found by picking a prime q = 7 mod 12, by 
finding the two roots n and r 2 of x 2 - x + 1 = 0 mod and by finding an integer k such 
that n + is 2 mod 3 and prime for i = 1 or 2. If desired, primes # can be selected until 
the smallest or the largest root is prime, or any other straightforward variant that fits 
one's needs may be used, for instance to get log 2 (#) « 180 and 6*log 2 (p) » 3000, i.e., 
log 2 (p) considerably bigger than log 2 (#). From qs7 mod 12 it follows that q = 1 mod 3 
so that, with quadratic reciprocity, x 2 - x + 1 = 0 mod q has two roots. It also follows that 
q = 3 mod 4 which implies that those roots can be found using a single ((g+l)/4) th 
powering modulo q. 

By # e GF(p 6 ) we denote an element of order It is well known that g is not 
contained in any proper subfield of GF(p 6 ) (cf. [4]). In the next section it is shown that 
there no need for an actual representation ofg and that arithmetic on elements of GF(p 6 ) 
can be entirely avoided. Thus, there is no need to represent elements of GF(p\ for 
instance by constructing an irreducible 3 rd degree polynomial over GF(p 2 ). A 
representation of GF(p 2 ) is needed however. This is done as follows. 

From p - 2 mod 3 it follows that p mod 3 generates GF(3)*, so that the zeros a and 
a' of the polynomial (X 3 -l)/(X-l) = X 2 +Z + 1 form an optimal normal basis for 
GF(p 2 ) over GF(p). Because a'" =a' mod \ an element x e G¥(p 2 ) can be represented as 
x 0 a+x x a p =xtfi+x x a 2 forx 0 ,xi e GF(p), so thatx' = xfa p +xfa 2p = x : a +x 0 a 2 . 
Figure 5 is a flow diagram of the method for selection of "p", as shown in section 

2.1. 

2.2 Cost of arithmetic in GF(p 2 ) 

It follows from the last identity that p th powering is for free in GF(p 2 ). A squaring in 
GF(p ) can be carried out at the cost of 2 squarings and a single multiplication in GF(p), 
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where as customary we do not count additions in GF(p). Straightforward multiplication in 
GF(p 2 ) takes four multiplications in GF(p) ? but this can trivially be reduced to three by 
using a simple Karatsuba-like approach (cf. [5, section 4.3.3]): to compute (x 0 a + jcioc 2 ) * 
(y 0 a + y x a 2 ) it suffices to compute x 0 *yo, x\*y h and (x 0 + xi)*(y 0 + y\\ after which x 0 *y\ 
+ *i*j>o follows using two subtractions. 

2.3 Compact representation of powers of g and their conjugates 

We present a number of straightforward results that show that powers of g, up to 
conjugacy, can be represented using a single element of GF(p 2 ). 

We recall the definition of the trace function Tr(x) from GF(p 6 ) onto GF(p 2 ) mapping x to 

2 4 

x + x p +x p . Because the order of x e GF(p 6 )* divides p 6 - 1 the function is well 
defined. For x, y e GF(p 6 ) and c e GF(p 2 ), Tr(x+y) = Tr(x) + Tr(y) and Tr(cx) = c*7V(jc). 
That is, Tr{x) is GF(p 2 )-linear. 

Lemma 2,3.1. The minimal polynomial of g over GF(p 2 ) is X 3 -BX 2 + B p X-\ € 
GF(p 2 )K with B=g + g p ~ l +g- p e GF(p 2 ). 

Proof. Because g is not contained in any proper subfield of GF(p 6 ) it is a root of a unique 
monic irreducible polynomial F(X) = X 3 - 5X 2 +CX-De GF(p 2 )[X\. Because 

/ \v 2 d 2 2 4 

F[Xf = F{X P ) the roots of F(X) are g and its conjugates g p and . Because 
the order q of g divides /? 2 - /? + 1 and because p 2 =p-l mod (p 2 - p + 1) and p 4 = 

2 n 2 -1 4 

mod(p -/? + 1), we find that g p =g /7 and g p =g p so that 

£>= g * g P 2 *gP 4 =g* 8 r l *g p = g l+p ~ l ~ p =l 

and 

Note that 5 = Trig). From = 0 it follows that 

glP _ Bg ~2p + Cg -P _ ! = g -3/> ( ! _ B g> + Cg 2 P _ g 3 P) = 

Because is the unique monic irreducible polynomial in GF(p 2 )[X] that has g as a 

root it follows that B = C 1 ^, i.e., C = which finishes the proof. 
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Remark 2.3.2. The identity C = B p in the proof of Lemma 2.3.1 also follows from 

c = g *tr i + **** + = ^ + t p + g - 1 

and 

since p 2 -/? = -1 mod (p 2 -/?+l) and -/? 2 = l-p mod (p 2 -p+l). 

Based on Lemma 2.3.1 it is tempting to represent g and its conjugates by 7>(g). We show 
that a result similar to Lemma 2.3.1 holds for any power of g and its conjugates. 
Consequently, g n and its conjugates can be represented by Tr(g n ). For notational 
convenience we use the following definition. 

Definition 2.3.3. Let T(n) = Tr(g n ) e GF(p 2 ). Note that T(n) = g n + g^* + g 1 * and that 
J(l) = B with 5 as in Lemma 2.3.1. 

Lemma 2.3.4. T(np) = T(nf = g n + g n ' np + g np = T{-n). 
Proof. Immediate from the definition of T{n) and from 

g n P + g «p 2 -^ + g V = ^ + g n-n P + ^ = ^ 

as in Remark 2.3.2. 

Lemma 2.3.5. For any integer n the roots of the polynomial X 3 -T(n)X 2 + T{n) p X - 1 
e GF(p 2 )[X] are g n and its conjugates g np2 = g np ~ n and g np4 = g np . 

Proof. We compare the coefficients with the coefficients of the polynomial 
(X~g)(X-g np ~ n )(X-g- np y The coefficient of X 2 follows from Definition 2.3.3, the 
constant coefficient from g n+n P' n ~ n P = i ? and the coefficient of X from 

g n*np-n + gn-np + g np-n~np = ^np + ^n-np + -« 

and Lemma 2.3.4. 

2.4 Computing for arbitrary n 

We show that T(ri) can efficiently be computed for any non-negative integer n. 
Lemma 2.4.1. T(u+v) = * J(v) - T(vy * T(u-v) + T(w-2v). 
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Proof. Immediate from the definition of T(u) and T(vf = T(-v) (cf. Lemma 2.3.4). 

Corollary 2.4.2. LetB = T(l) as in Lemma 23 A. 

I T(2n) = T(nf~2T(nf; 

ii. T(n+l) = B * T(rc) - 5 P * + T(n-2); 

Hi. T(2n-l) = T(n) * T{n-l) - 5 * T^-lf + T(n-2f. 

iv. T(2n-3) = T{n-2) * T(n-l) -B p * T(n-lf + T(nf. 

Proof. 

i. This follows from Lemma 2.4.1 with u = v = n, T(0) = 3, and Lemma 2.3.4: 
T(2n) - 7(n) 2 - 7^ * r(0) + T(-n) = T(nf - 3T(nf + T(nf = T(nf - 2T{nf. 

ii. This follows from Lemma 2.4.1 with u = n and v = 1 . 

iii. This follows from Lemma 2.4.1 with u = n, v = n-l and Lemma 2.3.4. 

iv. This follows from Lemma 2.4.1 with u = w-2, v = »-l and Lemma 2.3.4. 

Definition 2.4.3. Let S(n) = (T(n-2\ T(n-1), T(n)) for n > 0, where - 7(1/ - B p 

(cf. Lemma 2.3.4) and 7(0) = 3. 

Algorithm 2.4.4 for the computation of T(n) given B = T(l). Given B (and B p \ we 
show how S(n+l) and S(2n) can be computed based on S(n). Computation of T(n) for 
arbitrary n then follows using the ordinary square and multiply method based on 5(1) = 
(BP, 3, B) (cf. Definition 2.4.3). 

• S(n+l) can be computed from S(n) using Corollary 2.4.2.ii. This takes two 
multiplications in GF(p 2 ). 

• S(2n) can be computed by first using Corollary 2.4.2.i to compute T(2n-2) and T(2n) 
given S(ri) 9 at the cost of two squarings in GF(p 2 ), followed by an application of 
Corollary 2.4.2.iii to compute T(2n-l) at the cost of two multiplications in GF(p 2 ). 

In both steps we use that j9th powering is for free in GF(p 2 ). Figure 6 is a flow diagram of 
the arithmetic method to support key generation, as shown in section 2.4.4. 

Theorem 2.4.5. Let w(n) denote the number of ones in the binary expansion of n. The 
representation Tin) of the nth power of g and its conjugates can be computed at the cost 
o/2*log 2 (w) squarings in GF(p 2 ) and 2*w(w) + 2*log 2 (w) multiplications in G¥(p 2 ). 
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Proof, Immediate from Algorithm 2.4.4. 

Corollary 2.4.6. With w(n) as in Theorem 2.4.5, the representation T(n) of the nth power 
of g and its conjugates can be computed at the cost of 4*log 2 («) squarings and 
6*w(#)+8*log 2 (w) multiplications in GF(/?). 

Proof. Immediate from Theorem 2.4.5 and 2.2. 

Remark 2.4.7. Assuming that w(n) « (log 2 (rc)/2) and that a squaring in GF(p) takes 80% 
of the time of a multiplication in GF(p), we find that the computation of T{n) for n « q 
can be performed at an expected cost of about 14.2*log 2 (#) multiplications in GF(p). This 
is more than 60% faster than the 37.8*log 2 (#) multiplications in GF(p) required by the 
method from [4] where powers of g are more traditionally represented as elements of 
GF(p 6 ) and which is substantially faster than standard methods to deal with subgroups. 
For the last estimate we assume that log 2 (#) « log 2 (p). If elements of <g> are represented 
using a 3 degree extension of GF(p ), then exponentiation would take 42.3*log 2 (#) 
multiplications in GF(p), due to the fact that arithmetic in GF(p 2 ) is fast and because an 
extension polynomial of the special form X* - BX 2 + B P X - 1 may be used. Note that, 
unlike the methods from for instance [1], we do not assume that p has a special form. 
Using such primes leads to additional savings by making the arithmetic in GF(p) faster. 

Corollary 2.4.2.iv allows us to replace the standard square and multiply method by the 
less well known binary method, thereby saving some multiplications. 

Algorithm 2.4.8 for the computation of T(n) given B = J(l). Given B and S(n) it is 
straightforward to compute S(2n) or 5(2/7-1) using Corollary 2.4.2: 

• S(2n) is computed as in Algorithm 2.4.4 at the cost of two squarings and two 
multiplications in GF(p 2 ). 

• 5(2«-l) is computed by computing T(2n-\) and T(2n-2) as above at the cost of one 
squaring and two multiplications in GF(p 2 ), and by computing T(2n~3) using 
Corollary 2.4.2.iv at the cost of two multiplications in GF(p 2 ). 

In both steps we use that pth powering is for free in GF(p 2 ). 

Let n > 2 be some odd positive integer. To compute T(n) we proceed as follows. Let 5(2) 
= (3, B, B 2 -2B P ) (cf. Definition 2.4.3 and Corollary 2.4.2.i), let r be such that 2 r < n < 
2"\ let 2^ - n - 2 0 <y< r n^' with m e {0,1}, and let k - 2. For / = r-1, r-2, 0 in 
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succession replace S(k) by S(2k) and k by 2k if n t = 0 and S(k) by S(2£-l) and A: by 2k~l 
if n,- = 1 . As a result we have that k = nso that follows from S(n). 
If w is even we apply the above procedure to the odd part of n followed by one or more 
applications of Corollary 2.4.2.L 

Theorem 2.4,9. For a randomly selected N-bit number n, the representation T(n) of the 
nth power of g and its conjugates can be computed at an expected cost of l.5*N 
squarings and 3*N multiplications in GF(p 2 ). 

Proof. Immediate from Algorithm 2.4.8. 

Corollary 2.4.10. For a randomly selected N-bit number n, the representation T(n) of the 
nth power of g and its conjugates can be computed at an expected cost of 3*N squarings 
and9.5*N multiplications in G¥(p). 

Proof. Application of Theorem 2.4.9 and 2.2 leads to 3*N squarings and 10.5*7V 
multiplications in GF(p). In the computation of S(2n-l), however, we compute both 
B * T{n-Vf and B p * T(n-lf, which can be done using 4 as opposed to 6 multiplications 
in GF(p) if we combine the computations. So we may expect to be able to save a total of 
(2*iV)/2 multiplications in GF(p). 

Remark 2.4.11. We find that the computation of T(n) torn & q can be performed at an 
expected cost of about 11.9*log 2 (#) multiplications in GF(p) (cf. assumptions in Remark 
2.4.7). Thus, Algorithm 2.4.8 can be expected to be more than 15% faster than Algorithm 
2.4.4. Under the assumption that log 2 (#) » log 2 (p) ? exponentiation using Algorithm 2.4.8 
is more than 3 times faster than the fast method from [4] mentioned in 2.4.7, 

2.5 Computing powers of products 

Efficient representation and computation of powers of g suffices for the implementation 
of many cryptographic protocols. Sometimes, however, the product of two powers of g 
must be computed. For the standard representations this is straightforward, but in our 
representation computing products is relatively complicated. Here we sketch how the 
problem of computing the product of two powers of g may be solved. Our description is 
geared towards cryptographic applications, but can easily be generalized. Let B represent 
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a generator g of a subgroup of order q dividing p 2 -p + 1, as in Lemma 2.3.1. Let;; = g k 
for a secret integer k (the private key), and let C = y + f~ l + y~ p be /s representation. 
Obviously, the owner of the private key k can easily arrange the computation of C such 
that the representations C+ of g*y = and C_ of jVg = g*" 1 are computed as well. We 
show that if B, C, C+, and C_ are known, then for any pair of integers a, b the 
representation of g a * j; 6 and its conjugates can be computed efficiently. 



Lemma 2.5.1. Let T(m) be the representation of g m and its conjugates, and let A be the 



following 3x3-dintensional matrix over GF(p 2 ): A- 



f B -B p l" 
1 0 0 
0 1 0 



Then 







r T(l) > 


T{n) 


= A n * 


T(0) 


K T(n-\)j 







, where 7(1) = B, 71[0) = 3, and T{-\) = BP (cf. 2.3.3 and 2.3.4). 



Proof. From the definition of A and T(n+l) = B * T(n) - B p * T(n-1) + T(n-2) (cf. 

. The proof follows by 





f T{n + \f 




r m y 


Corollary 2.4.2.ii) it follows that 


T{n) 


= A* 


T{n-\) 




J(n-l)j 




J(n-2)j 



induction. 



Thus, if for the representations T(u) and T(v) of g" and g v the uth and vth powers of A are 
known, then the representation T(u+v) of g u+v can simply be computed by applying 
Lemma 2.5.1 with n = u + v to A"** = A" * A v . We show how A" can be obtained from 
T(u), if T(u+l) and T(u-l) are known as well. 



Lemma 2.5.2. Given 71(0), 71(1), 7(-l), T(n), T(n+Y), and T(n-l) the matrix A n can be 



computed as A n = 



T{n) T(n + Y}T(n + 2) 
T(n-\) T{n) T{n + \) 
K T(n-2)T{n-\) T(n) 
number of operations in GF(p 2 ). 



T(0) T(l) T(2) 
T(-V) T{0) T(V) 
T(-2)T(-l)T(0) 



in a small constant 



Proof. Given 71(0), T(l), T(-l), T(n), J\n+l), and T(n-l), Corollary 2.4.2.U is used to 
compute T(±2) and T(n±2). As in the proof of Lemma 2.5.1 it follows that 
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( T(n) T(n + l)T(n + 2f 
T{n-\) T{n) T(n + l) 
T(n-2)T(n-l) T(n) 



= A n * 



' T(0) T(l) T{2) 
T(-l) T(0) TQ) 
T(-2)T(-l)T(0) 



. The proof follows by observing 



that 



T(-2)T(-\)T(0) 
T(-l) T(0) 

^ r(0) r(i) r(2) 



is the product of the Vandermonde matrix 



1 ^ 

g' 1 g' P 



1 

g 



g l 



g 



4^ 



and its transpose, and therefore invertible. The determinant of the latter matrix equals 
T(p+Vf - T(p+l% and (T(p+lf - T(p+l)f = B 2p+1 +18*^ +1 - 4*(5 3/? + B 3 ) - 27 e 
GF(p). Because p th powering is for free in GF(p 2 % the proof follows. 



Algorithm 2.5.3 for the computation of the representation of g a * y b for integers a, b 
with \ <a,b<q, given the representation B of g and the representations C, CV, and 
CL of j>, y*g, and respectively. 

1 . Compute c = alb mod 

2. Given 5 use Algorithm 2.4.8 to compute r(c+l), 7(c), T(c-\) (note that the final 
applications of Corollary 2.4.2.i in Algorithm 2.4.8, if any, should be replaced by the 
usual calculation of the full S(2n)); 

3. Use Lemma 2.5.2 with 7(0) = 3, J(l) = B, T(~l) = BP, 7(c), T(c+1), and T(c-l) to 
compute ^4 C ; 

4. Use Lemma 2.5.2 with T(0) = 3, 7(1) = 5, T(-l) = B p , T(k) = C, T(c+1) = C + , and 
T(c-1) = C- to compute the corresponding power of A, which we denote by A k f even 
though k is unknown; 

5. Compute A c+k ; 



Using Lemma 2.5. 1 and A c+k compute T(c + k); 



7. Use Algorithm 2.4.8 with B replaced by T(c + k) and w replaced by 6 to compute the 
representation T((c + k) * b) = T(a + k* b) ofg a * /. 

Figure 1 OA is a flow diagram of the arithmetic method to support generating digital 
signatures, as shown in section 2.5.3. 



Theorem 2.5.4. For randomly selected N-bit numbers a and b, the representation of 
g a * y b and its conjugates can be computed at an expected cost of 3*N squarings and 
6*N multiplications in GF(p 2 ) plus a small constant number of '3x3 matrix multiplications 
over GF(p 2 ). 
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Proof. Immediate from Algorithm 2.5.3 and Theorem 2.4.9. 

Corollary 2,5.5. For randomly selected N-bit numbers a and b, the representation of g a * 
y b and its conjugates can be computed at an expected cost of 6*N squarings and 19*N 
multiplications in GF(p) plus a small constant number of '3x3 matrix multiplications over 
GF(p 2 ). 

Proof. Immediate from Algorithm 2.5.3, Corollary 2.4.10, and 2.2. 

Remark 2.5.6. Under the second assumption made in Remark 2.4.7, we find that the 
computation of the representation of g a * y h for a « b « q can be performed at an expected 
cost of about 23.8*log 2 (#) multiplications in GF(p). If the more traditional but fast 
method from [4] is used to represent GF(p 6 ), then computation of the representation of g a 
* y h takes almost 47*log 2 (#) multiplications in GF(p). If elements of <g> are represented 
using a 3 rd degree extension of GF(p 2 ) (cf. Remark 2.4.7), then the computation of the 
representation of g a * / takes about 51*log 2 (<s0 multiplications in GF(p). We conclude 
that both single and double exponentiations can be done much faster using our 
representation than using previously published techniques. 

3. Fast initialization 

We describe three different ways to compute a proper initial B as in Lemma 2.3.1, i.e., an 
element B of GF(p 2 ) such that there is a g e GF(p 6 ) of order q dividing p 2 ~p+l with 
B-g + }T l +g- p . 

3.1 Straightforward approach 
Algorithm 3.1.1 for the computation of B. 

1 . Pick at random a third degree monic irreducible polynomial over GF(p 2 ), and use that 
polynomial for representation of and arithmetic on elements of GF(p 6 ). 

2. Pick at random an element h e GF(p 6 )*; 

3. Compute the ((p 6 -l)/q)th power g of h; 

4. If g = 1 , then return to Step 2; 
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5. Compute B=g + + g~ p . 

Theorem 3.1.2. Algorithm 3.1.1 can be expected to require 3 irreducibility tests over 
GF(/? ) of third degree monic polynomials in G¥(p )[X\ 9 and \-llq exponentiations in 
GF(p 6 )* with exponent (p 6 -l)/q. 

Proof. Immediate from the well known fact that a random monic third degree polynomial 
in GF(p 2 )[X\ is irreducible with probability 1/3. 

Although conceptually easy, Algorithm 3.1.1 requires actual representation of and 
manipulation with elements of GF(p 6 ). From an implementation point of view it is 
therefore less attractive. Note that a random third degree polynomial H(X) in GF(p 2 )[X\ 
can be tested for irreducibility by testing if gcd(X p2 -X, H(X)) = 1 in GF(p 2 )[X\. This 
requires about 2*log 2 (p) squarings and \og 2 (p) multiplications of elements of 
GF(p 2 )[X\/(H(X))> which can be carried out in 12*log2(p) squarings and 69*log2(p) 
multiplications in GF(p). 

3.2 Randomized approach using irreducibility 

Algorithm 3.2.1 for the computation of B. 

1. Pick at random an element B' e GF(p 2 )*\GF(p)*; 

2. If X 3 - B'X 2 + B' p X - 1 e GF(p 2 )[X\ is reducible, then return to Step 1 ; 

3. Use Algorithm 2.4.8 with B replaced by B' to compute T((p 2 -p+l)/q) (i.e., with 

4. If T((p 2 -p+l)/q) = 3, then return to Step 1 ; 

5. LetB = T((p 2 -p+l)/q). 

To justify Algorithm 3.2.1 we use the following two lemmas. 

Lemma 3.2.2. An irreducible polynomial of the form X 3 - B'X 2 + B ,p X -I e 
GF(p 2 )[X] is the minimal polynomial of an element of GF(p 6 ) of order > 3 and dividing 
p 2 -p+l. 

Lemma 3.2.3. For a randomly selected B' e G¥(p 2 )*\GF(p)* the probability that the 
polynomial X 3 - B'X 2 + B' p X - 1 e G¥(p 2 )[X\ is irreducible is about one third. 
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Lemma 3.2.2 proves that it makes sense to apply Algorithm 2.4.8 with B replaced by B y 9 
because the role of g in Section 2 is played by some (unknown) element of GF(p 6 ) of 
order dividing p 2 -p+l. This works because g never explicitly occurs in the computations 
in Algorithm 2.4.8 (except to compute B, which is replaced by B' for our current 
purposes). 

Lemma 3.2.3 proves that on average only about three different values for & have 
to be selected before an irreducible polynomial is found. The proof of the following 
theorem is immediate. 

Theorem 3.2.4. Algorithm 3.2.1 can be expected to require 3*(l-l/#) irreducibility tests 
over GV(p 2 ) of third degree monic polynomials of the form X 3 -B'X 2 + B* P X-l in 
GF(p 2 )[X\, and l-l/q applications of Algorithm 2.4.8 with n = (p 2 -p+l)/q. 

Proof of Lemma 3.2.2. BecauseZ 3 -B } X 2 +B' P X-le GF(p 2 )[X\ is irreducible its 
roots are in GF(p 6 )*\GF(p 2 )* and thus of order dividing (p 6 -l)/(p 2 -\) = p 4 +p 2 +l. Denote 

2 4 _ 2_i 

the roots by h and its conjugates h p and h p = h p , the latter because the order of A 
divides p 4 +p 2 +l. If h 3 = 1, then h p would be equal to h since p = 2 mod 3, and h would 
be in GF(p 2 ) contradicting the irreducibility. Because the order of h cannot be even, it 
follows that the order of h is > 3. Reversing the argument in the proof of Lemma 2.3.1 it 
follows that if A is a root, then so is h~ p . Thus either h = h~ p , or h p2 = h~ p , or h~ p2 ~ l = h~ p . 
The first two possibilities are in contradiction with the fact that the order of h divides 
p 4 +p 2 +l, that gcd(p 4 +/? 2+ l >/?+!) - 3, and that the order of A is > 3, and the last remaining 
possibility leads to the conclusion that the order of h divides j^-p+l. 

Proof of Lemma 3.2.3. This follows from a straightforward counting argument. About 
p 2 ~p elements of the subgroup of order p 2 -p+l of GF(p 6 )* are roots of monic irreducible 
polynomials of the formX 3 -B'X 2 +& p X-l e G¥(p 2 )[X] (cf. Lemma 2.3.1). Since 
each of these polynomials has three distinct roots, there must be about (p 2 -p)/3 different 
values for B' in GF(/? 2 )*\GF(p)* such that X 3 - B y X 2 + B xp X - 1 is irreducible. 

Compared to Algorithm 3.1.1, the arithmetic in GF(p 6 ) is replaced in Algorithm 3.2.1 by 
application of Algorithm 2.4.8. That is much more convenient for the implementation of 
our method, because Algorithm 2.4.8 is required anyhow. We now show that the 
irreducibility tests can be replaced by an application of Algorithm 2.4.8 as well. 
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3.3 Randomized approach without irreducibility 

If B' as in Step 1 of Algorithm 3.2.1 leads to an irreducible polynomial in Step 2, then 
we know that T(ri) corresponds to the sum of the conjugates of the nth powers of an 
element of order dividing p 2 ~p+l and we know how to compute T(n) efficiently based on 
B' . We now consider what we can say about a thus computed T(n) if the polynomial in 
Step 2 of Algorithm 3.2.1 is not known to be irreducible. This leads to results that are 
very similar to those of Section 2, but the proofs are slightly more cumbersome. 
Let B' be an element of GF(p 2 ) and let a, p, and y be the, not necessarily distinct, roots 
of F(X) = X* -B'X 2 +B' P X-l eGF(p 2 )[X\. 

Lemma 3.3.1. 

i. & = a + p + y; 

ii. a*P*y=l; 

iii. a n * p" + a n * f + p" * f = y~ n + p"* + a"" for any integer n. 
Proof. Immediate. Note that iii uses ii. 

If F(X) is irreducible, then it follows from Lemma 3.2.2 that a, p, and y are of the form 
g> g~ P for some g in GF(p 6 ) of order > 3 and dividing /> 2 -p+l. If F{X) is reducible, 
we have the following lemma. 

Lemma 3.3.2. If F(X) is reducible, then a, p, y are in GF(p 2 ). 

Proof. Using the same argument as in the proof of Lemma 3.2.2 we find that a~ p 9 p" p , 
and y" p are also roots of F(X) . Without loss of generality, we find that either a = a p , p 
= P" P > 7 = Y~ P 5 or a = a p , y = p^, p = y~ p , or p = a p , y = p^, a = y^. In the first case all 
roots have order divisible by p+l 9 so that they are all in GF(p 2 ). In the second case a has 
order divisible by p+l and p and y have order divisible by p 2 -l 9 so that they are again all 
in GF(/? 2 ). In the final case it follows that 1 = ct*p*y = a*a~ p *a pl = a l ~ p+p2 = p 1 -p+p 2 

= y 1 ~ p+p ■ Because F{X) is reducible, at least one root, say a, is in GF(p 2 ), so that the 
order of a divides gcd(p 2 -p+l,/+l) - 3 (since p = 2 mod 3). But from a 3 = 1, p = a~ p , 
and y = p _p it now follows that a = p = y = a~ p so that the third case does not occur but is 
covered by the first case. 
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Definition 3.3.3. Let V(n) = a n + § n + f . Note that V(l) = B } and that V(n) e GF(p 2 ) 
because = T(n) if is irreducible and a, p, y e GF(p 2 ) otherwise. 

Lemma 3.3.4. V(np) = V{nf = of* + p~ w + f n = 

Proof. From the proof of Lemma 3.3.2 it follows that a + (3 + y = a~ p + \T P + y _/? and, 
more generally, that <x m + p w + y™ = a"^ + $~ mp + y~^ for any integer m. The proof 
follows by taking m = -n. 

Lemma 3.3.5. For any integer n the roots of the polynomial 
X' ~V(n)X 2 + V(n) p X-\ e G¥(p 2 )[X\ are a n , p", andf. 

Proof. If F(X) is irreducible the result follows from Lemma 2.3.5, so let us assume that 
F(X) is reducible. As in the proof of Lemma 2.3.5 we compare the coefficients with the 
coefficients of the polynomial (X- a n )(X- p w )(X-f ). The coefficient of X 2 follows 
from Definition 3.3.3, the constant coefficient from Lemma 3.3.1.ii, and the coefficient of 
Zfrom Lemma 3.3.1.iii and Lemma 3.3.4. 

It follows from Lemmas 2.3.5 and 3.3.5 that even if F(X) is reducible, V(n) and T(n) 
play very similar roles, because they can be used in the same way to define a polynomial 
that has the nth powers of the roots of F(X) as its roots. We now show that V(n) can be 
computed in the same way as T(n). 

Lemma 3.3.6. V(u+v) = V(u) * V(v) - V(vf * V{u-v) + V{u-2v). 

Proof. Immediate from the definition of V(u) and V(vf = V(-v) (cf. Lemma 3.3.4). 

Algorithms 2.4.4 and 2.4.8 are based on Corollary 2.4.2, which is based on Lemma 2.4.1. 
Lemma 3.3.6 is the equivalent of Lemma 2.4.1 with T 7 replaced by V. Therefore, V(n) can 
be computed using Algorithm 2.4.4 or Algorithm 2.4.8 with B replaced by B } and T 
replaced by V. 

Lemma 3.3.7. F(X) e GF(p 2 )[X\ is reducible if and only ifV{p+X) e GF(p). 

Proof. If F(X) is reducible then a, p, y e GF(p 2 ) (Lemma 3.3.2) so that a p+ \ $ p +\ y p+l 
e GF(p) and thus F(p+1) = a p+l + p^ +1 + y p+l e GF(p). If V(p+l) e GF(p), then V(p+Vf 

21 

11480_3 



0225-4188 



= F(p+1), so that A 3 - V(p+l)X 2 + F(p+l)X-l has 1 as a root. Because the roots of A 3 - 
FfcH-l)A* + F(/?+l)Z-l are the (p+l)st powers of the roots of F(Jir) (cf. Lemma 3.3.5), 
it follows that F{X) has a root of order dividing p+l, so that is reducible over 

GF(p 2 ). 

This leads to the following algorithm to find a proper initial B as in Lemma 2.3. 1 . 

Algorithm 3.3.8 for the computation of B. 

1. Pick at random an element B' e GF(p 2 )*\GF(/?)*; 

2. Use Algorithm 2.4.8 with B replaced by B' and T replaced by Fto compute V(p+\) 
(Le. ? with5 , -r(l) = K(l)); 

3. If V(p+l) e GF(p), then return to Step 1 ; 

4. Use Algorithm 2.4.8 with B replaced by 5 ! to compute T((p 2 -p+l)/q) (i.e., with 

5. If T((p 2 -p+l)/q) = 3, then return to Step 1 ; 

6. Let5 = r(0? 2 - J p+l)/ ? ). 

Figure 7 is a flow diagram of the method of key generation, as shown in section 3.3.8. 

Theorem 3.3.9. Algorithm 3.3.8 computes an element B e GF(p 2 ) such that B^g + g^ -1 
+ g p for an element g of GF(p 6 ) of order q>3 dividing p 2 -p + l.It can be expected to 
require 3*(l-l/#) applications of Algorithm 2.4.8 with n = /?+l and l-l/q applications of 
Algorithm 2.4.8 with n = (p 2 -p+\)lq. 

Proof. The correctness of Algorithm 3.3.8 follows from the fact that F(X) is irreducible 
if V(p+l) « GF(p) (Lemma 3.3.7). The run time estimate follows from Lemma 3.2.3 and 
the fact that V(p+\) £ GF(p) if F(X) is irreducible (Lemma 3.3.7). 

4. Applications 

The subgroup representation method described in Section 2 can be used in any 
cryptosystem that relies on the (subgroup) discrete logarithm problem. In this section we 
describe some of these applications in more detail. We assume that primes p and q have 
been selected as described in 2.1 such that q divides p 2 -p + 1 and that B e GF(p 2 ) has 
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been determined as representation of a generator of a subgroup of order q, for instance 
using the method described in Section 3. We also discuss how the public key data p, q, 
and B may be represented, and we compare the performance of our method with RSA and 
ECC. 

4.1 Application to the Diffie-Hellman scheme 

Suppose that two parties, Alice and Bob, who both have access to the public key data/?, 
q 9 B want to agree on a shared secret key. They can do this by performing the following 
variant of the Diffie-Hellman scheme: 

1. Alice selects at random an integer a, 1 < a < q - 2, uses Algorithm 2.4.8 to compute 
Va = T(a) g GF(p% and sends V A to Bob. 

2. Bob receives V A from Alice, selects at random an integer b, 1 < b < q - 2, uses 
Algorithm 2.4.8 to compute V B - T(b) € GF(p 2 ), and sends V B to Alice. 

3. Alice receives V B from Bob, and uses Algorithm 2.4.8 with B replaced by V B (i.e., 
with V B = T(l)) to compute K AB = T(a) e GF(p 2 ). 

4. Bob uses Algorithm 2.4.8 with B replaced by V A (i.e., with V A = T(l)) to compute 
K AB = T(b)eGF(p 2 ). 

The length of the messages exchanged in this DH variant is about one third of the length 
of the messages in other implementations of the DH scheme that achieve the same level 
of security and that are based on the difficulty of computing discrete logarithms in (a 
subgroup of) the multiplicative group of a finite field. Also, our variant of the DH scheme 
requires considerable less computation than those previously published methods (cf. 
Remark 2.4.11). 

Figure 8 is a flow diagram of the method of Diffie Hellman key exchange, as shown in 
section 4.1, using keys generated by the method of Figure 7. 

4.2 Application to the ElGamal encryption scheme 

Suppose that Alice is the owner of the public key data p, q, B, and that Alice has selected 
a secret integer k and computed the corresponding public value C = T{k) using Algorithm 
2.4.8. Thus, Alice's public key data consists of (p, q, B, Q. Given Alice's public key (p, 
q, B, Q Bob can encrypt a message M intended for Alice using the following variant of 
ElGamal encryption: 

1 . Bob selects at random an integer b,\<b<q-2\ 

2. Bob uses Algorithm 2.4.8 to compute V B = T(b) e GF(p 2 ); 
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3. Bob uses Algorithm 2.4.8 with B replaced by C (i.e., with C = T(l)) to compute K = 
T(b) e G¥(p 2 ); 

4. Bob uses K to encrypt M 9 resulting in the encryption E. 

5. Bob sends (V B ,E) to Alice. 

Note that Bob may have to hash the bits representing K down to a suitable encryption key 
length. 

Upon receipt of (V B JT), Alice decrypts the message in the following manner: 

1, Alice uses Algorithm 2.4.8 with B replaced by V B (i.e., with V B = 1(1)) to compute K 
= T(k)eGF(p 2 ); 

2. Alice uses K to decrypt E resulting in M. 

The message (V B ,E) sent by Bob consists of the actual encryption E, whose length 
strongly depends on the length of M 9 and the overhead Vs, whose length is independent of 
the length of M. The length of the overhead in this variant of the ElGamal encryption 
scheme is about one third of the length of the overhead in other implementations of 
message-length independent ElGamal encryption (cf. Remark 4.2.1). Also, our method is 
considerably faster (cf. Remark 2.4.11). Figure 9 is a flow diagram of the method of 
ElGamal encryption, as shown in section 4.2, using keys generated by the method of 
Figure 7. 

Remark 4.2,1. Our variant of ElGamal encryption is based on the common message- 
length independent version of ElGamal encryption, i.e., where the key K is used in 
conjunction with an (unspecified) symmetric key encryption method. In more traditional 
ElGamal encryption the message is restricted to the key space and 'encrypted' using, for 
instance, multiplication by the key, an invertible operation that takes place in the key 
space. In our description this would amount to requiring that M e GF(/? 2 ), and by 
computing E as K*M e GF(p 2 ). Compared to this more traditional variant of ElGamal 
encryption we save a factor three on the length of both parts of the encrypted message, 
for messages that fit in our key space (of one third of the 'traditional 5 size). 

4.3 Application to digital signature schemes 

Let, as in 4.2, Alice's public key data consists of (p, q, B, Q, where C = T(k) and k is 
Alice's private key. Furthermore, assume that C + = T(k+l) and CL - T(k-l) are included 
in Alice's public key (cf. 2.5). We show how the Nyberg-Rueppel (NR) message 
recovery signature scheme can be implemented using our subgroup representation. 
Application of our method to other digital signature schemes goes in a similar way. To 
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sign a message M containing an agreed upon type of redundancy, Alice does the 
following: 

1 . Alice selects at random an integer a, 1 < a < q - 2; 

2. Alice uses Algorithm 2.4.8 to compute V A = T(a) e GF(p 2 ); 

3. Alice uses Va to encrypt M, resulting in the encryption E. 

4. Alice computes the (integer valued) hash h of E. 

5. Alice computes s = (k * h + a) modulo q in the range {0,1, . . q-l} . 

6. Alice's resulting signature on M is (£». 

As in 4.2 Alice may have to hash the bits representing V A down to a suitable encryption 
key length. 

To verify Alice's signature (E,s) and to recover the signed message M, Bob does 
the following: 

1 . Bob obtains Alice public key data (p 9 q, B, C, C+ , C_). 

2. Bob checks that 0 < s < q; if not failure. 

3. Bob computes the hash hofE (using the same hash function used by Alice). 

4. Bob replaces h by -h modulo q (i.e., in the range {0,1, . . q-l}). 

5. Bob uses Algorithm 2.5.3 to compute the representation V B of g s * y h given a=s,b^ 
h, B, C, C + , and C_. 

6. Bob uses Vb to decrypt E resulting in the message M. 

7. If M contains the agreed upon type of redundancy, then the signature is accepted; if 
not the signature is rejected. 

Both for signature generation and signature verification our method is considerably faster 
than other subgroup based implementations of the NR scheme (c£ Remarks 2.4.11 and 
2.5.6. The length of the signature is identical to other variants of the NR scheme that are 
message-length independent (c£ Remark 4.2.1): an overhead part of length depending on 
the desired security (i.e, the subgroup size) and a message part of length depending on the 
message itself and the agreed upon redundancy. Similar statements hold for other digital 
signature schemes, such as DSA. 

Figure 1 OB is a flow diagram of the method of generating digital signatures, as shown in 
section 4.3., using keys generated by the method of Figure 7. 

4.4 Public key size 

For the applications in 4.1 and 4.2 a public key consisting of (p,q,B,Q suffices. For the 
digital signature application in 4.3 a much larger public key consisting of (p, q, B, C, C+, 
C_) is required. We assume that public keys are certified in some way, and that the 
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certificates contain information identifying the owner of the key. Furthermore, we 
assume that the bit-lengths P of p and Q of q are fixed system parameters, known to all 
parties in the system, and that P > Q - 2 (cf. 2.1). We discuss how much overhead is 
required for the representation of the public key in a certificate, i.e., on top of the user ID 
and other certification related bits. 

If no attempts are made to compress the key, then representing (p,qJ3,Q takes 
5*P + Q bits, and (p 9 q 9 B, C, C+, C_) requires 9*P + Q bits. We sketch one possible way 
how, at the cost of a small computational overhead for the recipient of the public key, p, 
q, and B can be represented using far fewer than 3*P + Q bits. 

First of all, the prime q can be determined as a function/ of the user ID and a 
small seed s, for some function / that is known to all parties in the system. The seed could 
consist of a random part s\ and a small additive part s 2 that is computed by the party that 
determines q, for instance by finding a small integer s 2 (of about log 2 (0 bits) such that 
12*(/(ID,si) + s 2 )+7 is prime (and defines q 9 cf. 2.1). Given q 9 the smallest (or largest) 
root r in {0, 1, q-l] of x 2 - x + 1 modulo q can be found using a single 
exponentiation in GF(#). From P an integer z\ easily follows such that p should be at least 
r + z\*q 9 and a small integer z 2 (of about log 2 (P) bits) can be found such that r + zi*g + 
z 2 *q is prime (and defines p, cf. 2.1). Thus, assuming that/, P 9 and Q are system-wide 
parameters, the primes q and p can be determined given the user ED, s 9 and z 2 at the cost 
of essentially a single exponentiation in GF(#). Alternatively, and if allowed by P 9 the 
party determining q may pick random s\ 9 s until r (or r + z\*q) itself is prime (and defines 
p). In that case q and p are fully determined by and can quickly be recovered from the 
user ID and s. 

To compress the number of bits required for the representation of B we assume 
that the party that determines B uses Algorithm 3.3.8, but instead of selecting B } at 
random in Step 1 of Algorithm 3.3.8, tries F = ia + (f+l)a 2 (cf. 2.1) for i = 2, 3, 4, . . ., in 
succession, until Step 6 is reached. The finals can usually be represented using at most 
5 bits (if not, just pick another s\ and start all over again). The corresponding B can be 
determined given E at the cost of a single application of Algorithm 2.4.8 with B 
replaced by B* , as in Step 4 of Algorithm 3.3.8. 

All these computations to recover p 9 q 9 and B can easily be performed by the recipient of 
a certificate. Correctness of the bits provided (i.e., if they lead to primes q and p of the 
right sizes, and to a B representing an order q element) should be verified by the 
certification authority. We conclude that p 9 q, and B can be selected in such a way that 
they can be recovered from the user ID and an additional log 2 (si) + log 2 (0 + log 2 (P) + 5 
bits. In practical situations 48 additional bits, i.e., 6 bytes, should be enough. 
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We conclude that for our versions of the DH scheme and ElGamal encryption the public 
key data overhead in the certificates can be limited to 48 + 2*P bits: 48 bits from which 
p, q, and B can be derived, and 2*P bits for C. For 170-bit subgroups and 1024-bit finite 
fields that is about one third of the size of traditional subgroup public keys. It is 
somewhat more than twice the size of an ECC public key, assuming the finite field, 
elliptic curve data, and group size are shared among all parties in the ECC system. If 
curves or finite fields are not shared, then ECC public keys need substantially more bits 
than our method when applied as in 4.1 or 4.2 unless similar ID based methods are used 
for curve and finite field generation (cf. 4.5). 

The public key overhead of our method when used in conjunction with digital 
signatures, as in 4.3, is much larger, namely 48 + 6*P bits. This is still competitive with 
traditional subgroup public key sizes, but more than non-shared ECC public key sizes. In 
the next subsection we show how 2*P bits can be saved at the cost of a moderate one 
time computation for the recipient of the public key. 

4.5 Reducing the public key size for digital signature applications 

For digital signature applications of our method the public key contains C, C+, and C_. 
We show that, at the cost of a moderate one time computation for the recipient of the 
public key, it suffices to send just two of C, C+, and CL, thereby reducing the public key 
overhead for digital signature applications of our method from 48 + 6*P to approximately 
48 + 4*P bits. An easy way to see this is as follows. Assume that C and C+ are given. 
From Lemma 2.5.2 with T(0) = 3, T(l) - 5, T(n) = C and T{n+l) = C+ and the fact that 
the determinant of the matrix A equals 1 it follows that T(n~l) = C_ has to be determined 
such that the determinant of the matrix from Lemma 2.5.2 with T(n) on the diagonal 
equals the determinant of the matrix from Lemma 2.5.2 with T(0) on the diagonal. This 
leads to a third degree equation in T(n-1) (i.e., C_) over GF(p 2 ), which can be solved at 
the cost of a small number of jr? th powerings in GF(p 2 ). The correct candidate can be 
determined at the cost of at most a few additional bits in the public key. We present a 
conceptually more complicated method that can be used not only to determine but 
that can also be used to establish the correctness of C+ (i.e., that C+ is the proper value 
corresponding to B and Q. Let C=y +f~ l +y~ p , as in 2.5. 

Definition 4.5.1. Let F r e GF(p 2 )[X\ denote the minimal polynomial over GF(p 2 ) of r e 
GF(p 6 ). 
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Definition 4.5.2. Let r, s e GF(p 6 ). The root-product 9t(r,s) of r and s is defined as the 
polynomial with roots {a*p | a, p e GF(p% F r (a) - 0, F 5 (p) - 0}. 

Lemma 4.5.3. Let r, s e G¥(p 6 ). Then SR(r^) - F r5 * F 2 * F 4 e GF(p 2 )[jq. 

Proof. According to Definition 4.5.2 the roots of the root-product 9l(r,s) are r^s^ for i, 
j e {0,2,4}, i.e., rs and its conjugates over GF(p ) (for z = ra^ and its conjugates (for j 

4 

= i + 2 mod 6), and r^ and its conjugates (for y = i + 4 mod 6). The proof follows. 

Lemma 4.5.4. Given B and T(p-2), values K, L, M € GY(p 2 ) such that ^ = Kg 2 +Lg + M 
modulo g 3 - Bg 2 + B p g - 1 can be computed at the cost of a small constant number of 
operations in GF(p ). 

Proof. By raising g = Kg 2 + Lg + M to the (p) th power for i = 0, 2, 4, and by adding the 
three resulting identities, we find that T(p) = KT{2) + LT{\) + MT(0). Similarly, from g' 1 
= Kg + L + Mg~ l and g°~ 2 = K + Lg~ l + Mg~ 2 it follows that T(p-l) = KT(l) + LT(0) + 
MT(-1) and T(p-2) = KT(0) + LT\-\) + MT(-2), respectively. With T{p-\) = T(p 2 ) = 
= B and T(p) = T(lf = ff, this leads to the following system of equations over 
G¥(p 2 ): 



r T{p-2f 




r T(G) 7(1) T(2? 




B 




r(-i) r(0) r(i) 


L 


E p 
\ ° ) 




,r(-2)r(-i)r(0) ; 





Because TXp-2) is given and the matrix on the right hand side is invertible (cf. proof of 
Lemma 2.5.2) the proof follows. 

Lemma 4.5.5. Given B, C, and T(p-2), the root-product 9*(g, y) can be computed at the 
cost of a small constant number of operations in GF(p 2 ). 

Proof. Since C = y +f~ x +y~ p we have that F y {X) = X S -CX 2 + CX- 1 e GF(p 2 )[X\. For 
any z e GF(p 6 ) the roots of the polynomial J*F y (Xlz) e GF(p 6 )[X\ are zy, zf~\ zy p . 
Thus, 9%, y) € GY{p 2 )\X\ can be written as the following product in GF(p 6 )[X\: 

(g**FJX*g- 1 )) * ii^FyiX^ 1 )) * (g- 3p *F y (X*g»)) = 
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Fy{X*g~ l ) * F y (X*g-i> +l ) * F y {X*g\ 

because the product of g and its conjugates equals L To compute $R(g, y) we represent 
GF(p 6 ) as GF(p 2 )[X\/F g (X) - GF(p 2 )(g\ i.e., by adjoining g with g 3 - 3g 2 + B p g - 1 = 0 to 
GF(p 2 ). In this representation, F y (X*g~ l ) can easily be computed. The remaining two 
factors Fy(X*g^ 1 ) and F£X*g) can be computed given a representation of f in 
GF(p 2 )(g), i.e., K,L,Me GF(p 2 ) such that / = Kg 2 + Zg + Af. With Lemma 4.5.4 the 
proof now follows. 

Lemma 4.5.6. Given B, Q C+, and T(p-2), the correctness of C+ can be checked at the 
cost of a small constant number of operations in GF(p 2 ). 

Proof. Given B and C, the value for C+ is correct if the roots in GF(p 6 ) of the polynomial 
^ - C+X 2 + C/X- 1 e GF(p 2 )[X] are ap and their conjugates, where a is a root of X 3 - 
BX 2 + B p X-l (i.e., a = g 9 g~\ or g~ p ) and p is a root of A 3 - CZ 2 + CT- 1 (i.e., p = y, 
f~\ or According to Lemma 4.5.3 the root-product 9t(g,y) e GF(p 2 )[X] is the 
product of the three minimal polynomials of gy 9 gf~\ and gy~ p , respectively, so that C+ is 
correct if and only if the polynomial X* - C+X 2 + C/X- 1 e GF(p 2 )[X\ divides Wigy). 
The proof now follows from Lemma 4.5.5. 

Lemma 4.5.7. Given B f C y C+, and T(p-2), the corresponding C_ can be computed at the 
cost of a small constant number of operations in GF(/? 2 ). 

Proof. Without loss of generality we assume that the roots of Z 3 - C+X 2 + C+ P X- 1 are gy 
and its conjugates. It follows from Lemma 4.5.3 that the corresponding C_ satisfies X* ~ 
C-X 2 + ClX- 1 = gcd(SR(g _1 ,y), 5?(g" 2 ,gy)). The proof now follows from the observation 
that the root-products 9t(g"V) and ^{g~ 2 ,gy) can be computed as in the proof of Lemma 
4.5.5 (with C replaced by C+ for the computation of 9l(g~ 2 gy)). 

Lemma 4.5.8. Given B, the value of T(p-2) can be computed at the cost of a squareroot 
computation in GF(p), assuming one bit of information to resolve the squareroot 
ambiguity. 

Proof. It follows from Corollary 2.4.2.ii, T(p) = B p , and T(p-l) = T(l) = B that T(p~2) = 
T(p+l). Let T(p+l) = xia + x 2 a 2 with x u x 2 e GF(p). Thus, -(*i + x 2 ) = T(p+lf + T(p+l) 
(cf. 2.1). With T(p+l) =f +l + i~ 2 + g~ 2p+ \ T(pHf = g- p ~ l + g- p+2 + g 2p '\ and B p+X = 
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b*b? = (g + r x + *w + g~ l + g* 1 ) - + r 2 + g~ 2pn + ^ + g p+2 + g 2 ^- 1 + 3 

= T(p+lf + 7\p+l) + 3 it follows that xi + x 2 = 3 - e GF(p). 

Similarly, it follows from straightforward evaluation that (T(p+lf - T(p+l)f = 
-3*(xi - x 2 f. With the identity for (T(p+lf - T(p+l)f given in the proof of Lemma 
2.5.2 we find that -3*(*i - x 2 f = B 2p+1 +18*^ +1 - 4*(B 3p + B 3 ) - 27 e GF(p). The proof 
follows by using that x\ + x 2 = 3 - . 

It follows from Lemma 4.5.7 that CI does not have to be included in the public key for 
digital signature applications. A single additional bit is required in the public key if 
Lemma 4.5.8 is used by the recipient of the public key to compute T(p~2\ The expected 
cost of the computation of T(p-2) using Lemma 4.5.8 is 1.3*log 2 (/?) multiplications in 
GF(p) if we make the additional assumption that p = 3 mod 4. Without Lemma 4.5.8, and 
without the additional bit, the computation of T(p-2) takes an expected 11.9*log 2 (p) 
multiplications in GF(p), according to 2.4.11. Note that also C+ does in principle not 
have to be included in the public key, because the recipient can determine C+ by factoring 
the ninth degree polynomial 9t(g,y) € GF(p 2 )[X] into three third degree irreducible 
polynomials in GF(p 2 )[X\. 

4.6 Comparison with RSA and ECC 

We give a rough comparison of the performance of RSA, ECC, and our method, which 
we refer to as XTR. We assume that XTR with P - Q = 170 (cf. 4.4) offers 
approximately the same security as 6*P-bit RSA with a 32-bit public exponent and as 
ECC with a randomly selected curve over a random P-bit prime field and with a Q-bit 
prime dividing the group order. 

4.6.1. Public key sizes. For all systems the number of bits of the public keys depends on 
the way the public keys are generated, because in all cases considerable savings can be 
obtained by including the user ID in the generation process (cf. 4.4). For RSA the user ID 
may be included in the modulus (cf. [7]) and the public exponent may be fixed or 
determined as a function of the used ID. As a consequence, the size of the RSA public 
key varies between 3*P and 6*P + 32 bits, depending on whether ID based compression 
methods are used or not. If, in ECC, the curve and finite field information is shared, then 
the public key information consists of P + 1 bits for the public point, assuming its y- 
coordinate is represented by a single bit, irrespective of the inclusion of user ID 
information. In a non-shared ECC setup, the finite field, random curve, and group order 
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information take approximately 3.5*P bits, plus a small constant number of bits to 
represent a point of high order. Using a method similar to the one in 4.4 this can be 
reduced to an overhead (on top of the user ID) of, say, 48 bits (to generate the curve and 
finite field as a function of the user ID and 48 random bits) plus P/2 bits (for the group 
order information). Thus, non-shared ECC public key sizes vary between 49 + 1.5*P and 
1 + 4.5*P bits. For XTR the public key size varies between 48 + 2*P and 5*P + Q bits if 
no digital signatures are required or 48 + 4*P and 7*P + Q otherwise, as described in 4.4 
and 4.5. 

ID based key generation methods for RSA affect the way the modulus and its secret 
factors are determined. The ID based approach for RSA is therefore viewed with 
suspicion and not generally used, despite the fact that no attacks on the methods from, for 
instance, [7] are known. For discrete logarithm based methods (such as ECC and XTR) 
ID based key generation methods affect only the part of the public key that is not related 
to the secret information, i.e., the way the public point is determined is not affected. The 
ID based approach is therefore commonly used for discrete logarithm based systems. 
This distinction between RSA on the one hand, and ECC and XTR on the other hand, 
should be kept in mind while interpreting the public key length data in Table 1 . 

4.6.2. Speed. In Table 1 speed is measured as approximate number of multiplications in a 
170-bit field. RSA-encryption (or signature verification) with a 32-bit public exponent 
and a 6*P-bit field requires approximately 32 squarings and 16 multiplications in the 
field, which is assumed to be equivalent to approximately 0.8*32 + 16 multiplications, 
and thus about 36 as many, i.e., about 1500, multiplications in a 170-bit field. The 
number of operations required for RSA-decryption (or signature generation) is twice 
approximately 3*P squarings and 1.5*P multiplications in a 3*P-bit field, which amounts 
to about 11900 multiplications in a 170-bit field. For the ECC estimates we use the 
optimized results from [3], both for the two separate scalar multiplications in ECC- 
ElGamal encryption, and for the single scalar multiplication in ECC-ElGamal decryption 
and ECC-NR signature generation. The two scalar multiplications in ECC-NR signature 
verification can be combined, but it is as yet unclear if the methods from [3] can be used 
for this purpose. For that reason we use the estimate 2575 based on a rather 
straightforward but reasonably fast implementation; it is conceivable that this can be 
improved to, approximately, 2125 using the methods from [3]. The XTR estimates are 
based on 4.2, Remark 2.4.1 1, 4.3, and Remark 2.5.6. 

The speeds given in Table 1 should not be confused with actual run times. 
Relatively speaking, actual run times for ECC and XTR should be close to the figures in 
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Table 1. The performance of RSA may be somewhat better because in practical 
implementations a single 510-bit modular multiplication may be faster than nine 170-bit 
modular multiplications. 

4.6.3. Signature and encryption size. For the encryption and digital signature sizes we 
assume a message consisting of m bits (including the redundancy) and, in 4.2, 4.3, and 
similar ECC applications, a symmetric encryption method using a 128-bit key. For RSA 
we assume that if the message is too long (to be encrypted or signed with message 
recovery using a single RSA application), then RSA is used in conjunction with the same 
symmetric encryption method. 

4.6.4. Key generation. For RSA two independent 3P-bit primes have to be generated. 
For XTR either two independent P-bit primes (assuming z 2 as in 4.4 is allowed to be non- 
zero), or two dependent P-bit primes (assuming z 2 as in 4.4 is 0) have to be generated. In 
the former case XTR key generation may be expected to be about 3 4 = 81 times faster 
than RSA key generation. In the latter case RSA and XTR key generation is about 
equally expensive for P = 170: on the order of 2*(3P) 4 bit operations for RSA, and on the 
order of P 5 bit operations for XTR. ECC key generation is orders of magnitude slower 
and considerably more complicated than either RSA or XTR key generation. 



Table 1 





RSA 


ECC 


XTR (non-shared only) 


shared 


non-shared 


no signing 


with signing 


Public key size 


ID-based 


510 


171 


304 


388 


728 


non ID-based 


1056 


171 


766 


1020 


1360 


Encryption speed 


1500 


3400 


4046 


Decryption speed 


11900 


1700 


2023 


Approximate encryption size 


max(1024,128+m) 


171+m 


340 + m 


Digital signature generation speed 


11900 


1700 


2023 


Digital signature verification speed 


1500 


2575 


4046 


Approximate digital signature size 


max(1024,128+m) 


170 + m 


170 + m 


Key generation 


two independent 
510-bit primes 


curve with 170-bit 
prime order subgroup 


two 170-bit primes 
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5. Security 

For completeness we sketch the straightforward proofs that traditional subgroup discrete 
logarithm and DH problems offer the same security as our versions. Let the notation be as 
in Section 2. 

Lemma 5.1. Given y € <g>, the discrete logarithm of y with respect to g can be found 
using a single call to an oracle that given a value v e G¥(p 2 ) produces an integer a such 
that T(a) = v, if such an integer exists. 

Proof sketch. Let y = g b for some unknown integer b. Let a be the integer produced by an 
oracle call with v = y +y~ p e GF(p 2 ), then a = b, or a s b*(p-l) mod (p 2 -p+ 1), 
or a = -b*p mod (p 2 - p + 1). Thus, b can be found be trying at most three different 
possibilities. 

Lemma 5.2. Given v e GF(p ) an integer a such that T(a) = v, if such an integer exists, 
can be found using a single call to an oracle that solves the discrete logarithm problem in 
<g>. 

Proof sketch. Let v e GF(p 2 ). Determine the roots a, p, y e GF(p 6 ) of the polynomial^ 3 
- vA* + v^Z- 1 e GF(p 2 )[JS]. If a, p, y <£ <g> (which can easily be checked), then a with 
T(a) = v does not exist. Otherwise, assume without loss of generality that a e <g>, and 
use the oracle to produce an integer a such that g a = a. This a satisfies T(a) = v. 

Lemma 5.3. Given g a and g b for unknown integers a and b, the value g ab can be 
computed using two calls to an oracle that given T(u) and T(v), for unknown integers u, 
v f determines T(uv). 

Proof sketch. Given g a compute its conjugates g a(p ~ l) and g' ap and T(a) = g a + g a(p ~ l) + 
g~ ap . Similarly, compute T{b) and ? using g a lg = g a ~\ compute T(a-l). Determine T(ab) 
and T((a-l)b) using two calls to the oracle. Determine the roots a, p, y e GF(p 6 ) of the 
polynomial A 3 - T(ab)X 2 + T(abfX- 1 e GF(p 2 )[X\. We have that {a, p, y } = { g a \ 
g ab(p ~ l \ g~ abp }> but it is unclear which of a, p, y is the value g ab that we are looking for. 
For that reason we determine the roots a', p\ y' e GF(p 6 ) of the polynomial A 3 - 
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T{{a-\)b)X 2 + T{{a-\)bfX - 1 e GF(p 2 )[X\. We have that {a', (3\ y'} = { g {a ~ l) \ 

g{a -l)b(p-l^ g -(a-l)bp^ SQ canbe determined as | a? p ? y } n { a '* g » (}' y > 

Corollary 5.4. Gzven g fl and g b for unknown integers a and b, the value g ab can be found 
with probability z/3 using a single call to an oracle that given T(u) and T(y), for unknown 
integers u, v, determines T(uv) with probability s. 

Corollary 5.5, Given g a and g b for unknown integers a and b } the value g ab can be 
computed using a single call to an oracle that given T(u) and T(v), for unknown integers 
u, v, determines T(uv), and at most two calls to an oracle that asserts the correctness of 
the resulting value g . 

It follows from Corollary 5.5 that in many practical situations a single call to the T(u), 
T(v) -> T(uv) oracle would suffice to find g ab given g a and g b . As an example we mention 
DH key agreement where the resulting key is actually used after it has been established. 

Lemma 5.6. Given T(u) and T(v) for unknown integers u, v, the value T(uv) can be found 
using a single call to an oracle that given g a and g b , for unknown integers a and b, 
determines g ab . 

Proof sketch. Determine the roots a, p, y e GF(p 6 ) of the polynomial J? - T(u)X 2 + 
T(ufX- 1 g GF(p 2 )[X\ and the roots a\ p\ y' e GF(p 6 ) of the polynomial^ 3 - T(v)X 2 + 

T(vfX- 1 e GF(p 2 )[X}. We have that a = g u{p ~ X)l and a' = g v(p ~ l)J for unknown ij e 

{0, 1,2}. From a and a' determine g uv ^~^ l+J using a single call to the oracle. Because 

the order of g divides p 2 -p + 1 the sum of g uv ^P-^ l+3 and its conjugates equals T(uv). 

6. Extensions 

Methods similar to the ones described in this paper can be used for compact 
representation of and fast arithmetic with elements of a subgroup of order dividing p + 1 
in GF(p 2 )*, as used for instance in the public key system LUC (cf. [9]). For that 
application the savings obtained are smaller than in our application, and the resulting 
comparison to RSA and ECC is less favorable. For that reason we do not elaborate. 
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Instead of representing powers of g (and their conjugates) of order q dividing § 6 (p) by 
elements of GF(p 2 ) as opposed to GF(p 6 ), we can represent powers of elements of order 
dividing foo(p) by elements of GF(p 10 ) as opposed to GF(p 30 ) using the same methods as 
presented in sections 2 to 5. Because 10 + 1 = 11 is prime (just as 2 + 1 = 3 is prime) we 
can use an optimal normal basis to represent the underlying field GF(p 10 ), but the overall 
construction is more complicated and fewer suitable primes are available while no 
additional savings are obtained. The same holds for any integer x for which 2*x + 1 is 
prime: powers of elements of order dividing fo*x(p) can be represented in GF(p 2 * x ) as 
opposed to GF(p 6 * x ), and the arithmetic with those powers in the field GF(p 2 * x ) is 
efficient. The case x = 1, as described in detail in this paper, is the most efficient and 
most flexible of this more general construction. For that reason we do not present the 
details of the more general construction. 

We are not aware of constructions similar to the ones described in this paper that obtain 
more savings than obtained by our construction. We have reason to believe that such 
constructions do not exist , but at his point this is merely a conjecture for which 
reasonable evidence seems to exist (cf. [2]). 
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Although illustrative embodiments of the present invention, and various 
modifications thereof, have been described in detail herein with reference to the 
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further modifications may be effected therein by one skilled in the art without departing 
from the scope or spirit of the invention as defined in the appended claims. 
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CLAIMS 

What is claimed is: 

1. A method of determining a public key having a reduced length and a factor p ? 
using GF(/? 2 ) arithmetic to achieve GF(p 6 ) security, without explicitly constructing 
GF(p 6 ), comprising the steps of: 

selecting a number q and a number p such that p**2 - p + 1 is an integer multiple 

ofq; 

selecting a number g of order q ? where g and its conjugates can be represented by 
B, where Fg(x) = x**3 - Bx**2 + (B**p)x -1 and the roots are g, g**(p-l), g**(-p); 

representing the powers of g using their trace over the field GF(p 2 ); 

selecting a private key; and 

computing a public key as a function of g. 

2. A method of encrypting a message using the public key generated by the method 
of claim 1. 

3. A method of decrypting a message using the public and private key generated by 
the method of claim 1 . 

4. A method of signing a message using the public and private key generated by the 
method of claim 1. 

5. A method of verifying a signature using the public key generated by the method 
of claim 1 . 

6. A method of Diffie Hellman key exchange and related schemes using the public 
key generated by the method of claim 1 . 

37 

11480_3 



0225-4188 



7. A system for determining a public key having a reduced length and a factor p, 
using GF(p 2 ) arithmetic to achieve GF(p 6 ) security, without explicitly constructing 
GF(p 6 ), comprising: 

a processor for selecting a number q and a number p such that p**2 - p + 1 is an 
integer multiple of q; 

said processor selecting a number g of order q, where g and its conjugates can be 
represented by B, where Fg(x) = x**3 - Bx**2 + (B**p)x -1 and the roots are g, g**(p- 

i), g**(-P); 

said processor representing the powers of g using their trace over the field GF(p 2 ); 
said processor selecting a private key; 

a memory coupled to said processor for storing the private key; 
said processor computing a public key as a function of g; and 

a network interface for distributing said public key over a network. 

8. A system of encrypting a message using the public key generated by the system of 
claim 7. 

9. A system of decrypting a message using the public and private key generated by 
the system of claim 7. 

10. A system of signing a message using the public and private key generated by the 
system of claim 7. 

11. A system of verifying a signature using the public key generated by the system of 
claim 7. 
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12. A system of Diffie Hellman key exchange and related schemes using the public 
key generated by the system of claim 7. 

13. A computer program article of manufacture, comprising: 

a computer readable medium for determining a public key having a reduced 
length and a factor p, using GF(p 2 ) arithmetic to achieve GF(p 6 ) security, without 
explicitly constructing GF(p 6 ), comprising: 

a computer program means in said computer readable medium, for selecting a 
number q and a number p such that p**2 - p + 1 is an integer multiple of q; 

a computer program means in said computer readable medium, for selecting a 
number g of order q, where g and its conjugates can be represented by B, where Fg(x) = 
x**3 - Bx**2 + (B**p)x -1 and the roots are g, g**(p-l), g**(-p); 

a computer program means in said computer readable medium, for representing 
the powers of g using their trace over the field GF(p 2 ); 

a computer program means in said computer readable medium, for selecting a 
private key; and 

a computer program means in said computer readable medium, for computing a 
public key as a function of g. 

14. The article of manufacture of claim 13, which further comprises: 

a computer program means in said computer readable medium, for encrypting a 
message using the public key. 

15. The article of manufacture of claim 13, which further comprises: 

a computer program means in said computer readable medium, for decrypting a 
message using the public and private key. 
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16. The article of manufacture of claim 13, which further comprises: 

a computer program means in said computer readable medium, for signing a 
message using the public and private key. 

17. The article of manufacture of claim 13, which further comprises: 

a computer program means in said computer readable medium, for verifying a 
signature using the public key. 

18. The article of manufacture of claim 13, which further comprises: 

a computer program means in said computer readable medium, for Diffie Hellman 
key exchange and related schemes using the public key. 

19. A business method of determining a public key having a reduced length and a 
factor p, using GV(p ) arithmetic to achieve GV{p ) security, without explicitly 
constructing GF(p 6 ), comprising the steps of: 

selecting a number q and a number p such that p**2 - p + 1 is an integer multiple 

ofq; 

selecting a number g of order q, where g and its conjugates can be represented by 
B, where Fg(x) = x**3 - Bx**2 + (B**p)x -1 and the roots are g, g**(p-l), g**(-p); 

representing the powers of g using their trace over the field GF(p 2 ); 

selecting a private key; and 

computing a public key as a function of g. 

20. A method of encrypting a message using the public key generated by the business 
method of claim 19. 
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21. The method of decrypting a message using the public and private key generated 
by the business method of claim 19. 

22. The method of signing a message using the public and private key generated by 
the business method of claim 19. 

23. The method of verifying a signature using the public key generated by the 
business method of claim 19. 

24. The method of Diffie Hellman key exchange and related schemes using the public 
key generated by the business method of claim 19. 
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ABSTRACT OF THE DISCLOSURE 



Improvements are obtained in key generation and cryptographic applications in public 
key cryptography, by reducing the bit-length of public keys, thereby reducing the 
bandwidth requirements of telecommunications devices, such as wireless telephone sets. 
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USE THE PUBLIC KEY AND THE PRIVATE KEY 
IN ENCRYPTION AND DECRYPTION, 
IN DIGITAL SIGNATURE SIGNING AND VERIFICATION, 
AND IN KEY EXCHANGE AND RELATED SCHEMES 



Let p = 2 mod 3 be a prime number such that 6*log 2 (p) * 1024 and such that 
<|> 6 ( p ) = ^ 2 - + 1 has a prime factor g with log 2 (g) > 1 60. Such p and # (or of any other 
reasonable desired size) can quickly be found by picking a prime q = 7 mod 12, by 
finding the two roots r\ and r 2 of x 2 - x + 1 = 0 mod q, and by finding an integer k such 
that n + k*q is 2 mod 3 and prime for i = 1 or 2. If desired, primes q can be selected until 
the smallest or the largest root is prime, or any other straightforward variant that fits 
one's needs may be used, for instance to get \og 2 (q) « 180 and 6*log 2 (p) « 3000, i.e., 
log 2 (p) considerably bigger than log 2 (#). From q = 7 mod 12 it follows that q = 1 mod 3 
so that, with quadratic reciprocity, x 2 - x + 1 s 0 mod # has two roots. It also follows that 
£ s 3 mod 4 which implies that those roots can be found using a single ((?+l)/4) 
powering modulo 



By g g GF(p 6 ) we denote an element of order q. It is well known that g is not contained 
in any proper subfield of GF(p 6 ) (cf. [4]). In the next section it is shown that there no 
need for an actual representation of g and that arithmetic on elements of GF(p 6 ) can be 
entirely avoided. Thus, there is no need to represent elements of GF(p 6 ), for instance by 
constructing an irreducible 3 rd degree polynomial over GF(p 2 ). A representation of 
GF(p 2 ) is needed however. This is done as follows. 



From p = 2 mod 3 it follows that p mod 3 generates GF(3)* ? so that the zeros a and a p 
of the polynomial (X 3 -1)/(Z-1) = X 2 +X + 1 form an optimal normal basis for 
GF(p 2 ) over GF(p). Because a 1 ' =a' mod3 ? an element x e GF(p 2 ) can be represented as 
x 0 a + x x a p = x 0 a + x x a 2 for x 0? x\ e GF(p), so that x p = xfa p + xfa 2p = + x Q a 2 . 



Figure 5 is a flow diagram of the method for selection of "p M , as shown 
in section 2.1. 
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Algorithm for the computation of T(n) given B = Given B (and B p ), we show 
how S(n+1) and S(2n) can be computed based on S(n). Computation of T(n) for arbitrary 
n then follows using the ordinary square and multiply method based on S(l) = {If, 3, B) 
(cf. Definition 2.4.3). 



• S(n+\) can be computed from S(n) using Corollary 2.4.2.ii. This takes two 
multiplications in GF(p ). 



• S(2n) can be computed by first using Corollary 2A2A to compute T(2n-2) and T(2n) 
given S(n% at the cost of two squarings in GF(p 2 ), followed by an application of 
Corollary 2 A2.iii to compute T(2n-l) at the cost of two multiplications in GF(p 2 ). 



In both steps we use that jrth powering is for free in GF(p ). 

Figure 6 is a flow diagram of the arithmetic method to support key 
generation, as shown in section 2.4.4. 
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Algorithm 3.3.8 for the computation of B. 

1. Pick at random an element 5' e GF(p 2 )*\GF(p)*; 

2. Use Algorithm 2.4.7 with B replaced by B' and T replaced by V to compute V(p+l) 
(i.e.,with5'=7 , (l)=F(l)); 

3. If Vip+Y) e GF(p), then return to Step 1 ; 

4. Use Algorithm 2.4.7 with B replaced by & to compute T{(p 2 -p+\)lq) (i.e., with 
5' = 2X1)); 

5. If T\{p 2 -p+V)lq) = 3, then return to Step 1 ; 

6. LetB = T((p 2 -p+l)/q). 

Figure 7 is a flow diagram of the method of key generation, as shown in 
section 3.3.8. 
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4.1 Application to the Diffie-Hellman scheme 

Suppose that two parties, Alice and Bob, who both have access to the public key data/>, 
q, B want to agree on a shared secret key. They can do this by performing the following 
variant of the Diffie-Hellman scheme: 

1. Alice selects at random an integer a, 1 < a < q - 2, uses Algorithm 2.4.7 to compute 
V A = T(a) g G¥(p 2 ), and sends V A to Bob. 

2. Bob receives V A from Alice, selects at random an integer b, 1 < b < q - 2, uses 
Algorithm 2.4.7 to compute V B = T(b) e GF(p 2 ), and sends V B to Alice. 

3. Alice receives V B from Bob, and uses Algorithm 2.4.8 with B replaced by V B (i.e., 
with V B = T(l)) to compute K AB = T(a) e GF(p 2 ). 

4. Bob uses Algorithm 2.4.8 with B replaced by V A (i.e., with V A = T(l)) to compute 

K AB = IXb)*G?(p 2 )- 

The length of the messages exchanged in this DH variant is about one third of the length 
of the messages in other implementations of the DH scheme that achieve the same level 
of security and that are based on the difficulty of computing discrete logarithms in (a 
subgroup of) the multiplicative group of a finite field. Also, our variant of the DH scheme 
requires considerable less computation than those previously published methods (cf. 
Remark 2.4.10). 

Figure 8 is a flow diagram of the method of Diffie Hellman key 
exchange, as shown in section 4.1, using keys generated by the method 
of Figure 7. 
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4.2 Application to the ElGamal encryption scheme 

Suppose that Alice is the owner of the public key data p, q, B, and that Alice has selected 
a secret integer k and computed the corresponding public value C = T(k) using Algorithm 
2.4.7. Thus, Alice's public key data consists of (p, q, B, C). Given Alice's public key (p 9 
q 9 B, Q Bob can encrypt a message M intended for Alice using the following variant of 
ElGamal encryption: 

1 . Bob selects at random an integer b, 1< b < q - 2; 

2. Bob uses Algorithm 2.4.7 to compute V B = T(b) e GF(p 2 ); 

3. Bob uses Algorithm 2.4.7 with B replaced by C (i.e., with C = T(l)) to compute K = 
T(b) e G¥(p 2 ); 

4. Bob uses K to encrypt M 9 resulting in the encryption E. 

5 . Bob sends ( V B ,E) to Alice. 

Note that Bob may have to hash the bits representing K down to a suitable encryption key 
length. 

Upon receipt of (V B ,E), Alice decrypts the message in the following manner: 

1. Alice uses Algorithm 2.4.7 with B replaced by V B (i.e., with V B = T(l)) to compute K 
- T(k) g GF(p 2 ); 

2. Alice uses K to decrypt E resulting in M. 

The message (V B ,E) sent by Bob consists of the actual encryption E 9 whose length 
strongly depends on the length ofM 9 and the overhead V B , whose length is independent of 
the length of M. The length of the overhead in this variant of the ElGamal encryption 
scheme is about one third of the length of the overhead in other implementations of 
message-length independent ElGamal encryption (cf. Remark 4.2.1). Also, our method is 
considerably faster (cf. Remark 2.4.10). 



Figure 9 is a flow diagram of the method of ElGamal encryption, as 
shown in section 4.2, using keys generated by the method of Figure 7. 
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Algorithm 2.5.3 for the computation of the representation of g a * / for integers a, b 
with 1 < a, b < given the representation B of g and the representations C, C+ ? and 
C_ of y 9 y*g, and y/g 9 respectively. 

1 . Compute c = alb mod q; 

2. Given B use Algorithm 2.4.7 to compute T(c+1) ? T(c\ T(c-l) (note that the final 
applications of Corollary 2.4.2.i in Algorithm 2.4.7, if any, should be replaced by the 
usual calculation of the full S(2n)); 

3. Use Lemma 2.5.2 with 7(0) = 3, T(l) = B 9 T(-\) = B p , T{c\ T(c+1) ; and T(c-l) to 
compute A c ; 

4. Use Lemma 2.5.2 with T(0) = 3, T{\) = B, T(-l) = B p , T(k) = C, T(c+l) = C + , and 
T{c-\) = C_ to compute the corresponding power of A, which we denote by A k s even 
though k is unknown; 

5. Computed*; 

6. Using Lemma 2.5.1 and A c + k compute T(c + k); 

7. Use Algorithm 2.4,7 with B replaced by T(c + k) and n replaced by b to compute the 
representation T((c + k)*b) = T{a + k*b) of g a * /. 

Figure 10A is a flow diagram of the arithmetic method to support 
generating digital signatures, as shown in section 2.5.3. 



12012 1 



4.3 Application to digital signature schemes 

Let, as in 4.2, Alice's public key data consists of (p, q, B, Q, where C = T(k) and k is 
Alice's private key. Furthermore, assume that C+ = T(k+l) and CL = T(k-l) are included 
in Alice's public key (cf. 2.5). We show how the Nyberg-Rueppel (NR) message 
recovery signature scheme can be implemented using our subgroup representation. 
Application of our method to other digital signature schemes goes in a similar way. To 
sign a message M containing an agreed upon type of redundancy, Alice does the 
following: 

1. Alice selects at random an integer a, 1 < a < q - 2; 

2. Alice uses Algorithm 2.4.7 to compute Va = T(a) e GF(p 2 ); 

3. Alice uses Va to encrypt M, resulting in the encryption E. 

4. Alice computes the (integer valued) hash h of E. 

5. Alice computes s = (k * h + a) modulo q in the range {0,1 , . . ., q-l } . 

6. Alice's resulting signature on M is (E,s). 

As in 4.2 Alice may have to hash the bits representing V A down to a suitable encryption 
key length. 

To verify Alice's signature (E,s) and to recover the signed message M, Bob does 
the following: 

1. Bob obtains Alice public key data (p, q, B, C, C+, CL). 

2. Bob checks that 0 < s < q; if not failure. 

3. Bob computes the hash h of E (using the same hash function used by Alice). 

4. Bob replaces h by —h modulo q (i.e., in the range {0,1, . .., #-1}). 

5. Bob uses Algorithm 2.5.3 to compute the representation Vb of g s *y/ i given a = s, b = 
h, B, Q C + , and CL. 

6. Bob uses Vb to decrypt E resulting in the message M. 

7. If M contains the agreed upon type of redundancy, then the signature is accepted; if 
not the signature is rejected. 



Figure 10B is a flow diagram of the method of generating digital 
signatures, as shown in section 4.3., using keys generated by the method 
of Figure 7. 
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COMBINED DECLARATION AND POWER OF ATTORNEY FOR 
ORIGINAL, DESIGN, NATIONAL STAGE OF PCT, SUPPLEMENTAL, 
DIVISIONAL, CONTINUATION OR CONTINUATION-IN-PART APPLICATION 



As a below named inventor, I hereby declare that: 

My residence, post office address and citizenship are as stated below next to my name, 

1 believe I am the original, first and sole inventor (if only one name is listed below) or an original, first and joint 
inventor (if plural names are listed below) of the subject matter which is claimed and for which a patent is sought on 
the invention entitled: 

EFFICIENT AND COMPACT SUBGROUP TRACE REPRESENTATION ("XTR") 

the specification of which 

a. 13 is attached hereto 

b. Q was filed on as application Serial No. and was amended on 

. (if applicable). 

PCT FILED APPLICATION ENTERING NATIONAL STAGE 

c Ul wa $ described and claimed in International Application No. filed on and as amended 

on . (if any). 

I hereby state that I have reviewed and understand the contents of the above-identified specification, including the 
claims, as amended by any amendment referred to above. 

I acknowledge the duty to disclose information which is material to patentability as defined in 37 C.F.R. § 1.56. 

I hereby specify the following as the correspondence address to which all communications about this application are 
to be directed: 

SEND CORRESPONDENCE TO: 

MORGAN & FINNEGAN, L.L.P. 
345 Park Avenue 
New York, N.Y. 10154 

DIRECT TELEPHONE CALLS TO: 202-857-80 1 1 



I hereby claim foreign priority benefits under Title 35, United States Code § 1 19 (a)-(d) or under § 365(b) 
of any foreign application(s) for patent or inventor's certificate or under § 365(a) of any PCT international 
application(s) designating at least one country other than the U.S. listed below and also have identified 
below such foreign application(s) for patent or inventor's certificate or such PCT international 
application(s) filed by me on the same subject matter having a filing date within twelve (12) months before 
that of the application on which priority is claimed: 



1 
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O The attached 35 U.S.C. § 1 19 claim for priority for the application(s) listed below forms a part of this 
declaration. 



Country/PCT Application Date of filing Date of issue Priority 

Number (day, month, yr) (day, month, yr) Claimed 



□ y 


riN 


□ y 


riN 


□ y 


riN 



□ I hereby claim the benefit under 35 U.S.C. § 1 19(e) of any U.S. provisional appiication(s) listed below. 
Provisional Application No. Date of filing (day, month, yr) 



ADDITIONAL STATEMENTS FOR DIVISIONAL, CONTINUATION OR CONTINUATION-IN-PART 
OR PCT INTERNATIONAL APPLICATIONS DESIGNATING THE U.S.) 

I hereby claim the benefit under Title 35, United States Code § 120 of any United States application(s) or under § 
365(c) of any PCT international application(s) designating the U.S. listed below. 



US/PCT Application Serial No. Filing Date, Status (patented, pending, abandoned)/ 

U.S. application no. assigned (For PCT) 

_=__ US/PCT 

Application Serial No. Filing Date, Status (patented, pending, abandoned)/ 

U.S. application no. assigned (For PCT) 

[U In this continuation-in-part application, insofar as the subject matter of any of the claims of this 

application is not disclosed in the above listed prior United States or PCT international application(s) in the 
manner provided by the first paragraph of Title 35, United States Code, § 1 12, 1 acknowledge the duty to 
disclose material information as defined in Title 37, Code of Federal Regulations, § 1.56(a) which occurred 
between the filing date of the prior application(s) and the national or PCT international filing date of this 
application. 

I hereby declare that all statements made herein of my own knowledge are true and that all statements made on 
information and belief are believed to be true; and further that these statements were made with the knowledge that 
willful false statements and the like so made are punishable by fine or Imprisonment, or both, under Section 1001 of 
Title 18 of the United States Code and that such willful false statements may jeopardize the validity of the 
application or any patent issued thereon. 
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I hereby appoint the following attorneys and/or agents with full power of substitution and revocation, to prosecute 
this application, to receive the patent, and to transact all business in the Patent and Trademark Office connected 
therewith: John A. Diaz (Reg. No, 19,550), John C. Vassil (Reg. No. 19,098), Alfred P. Ewert (Reg. No. 19,887), 
David H. Pfeffer (Reg. No. 19,825), Harry C. Marcus (Reg. No. 22,390), Robert E. Paulson (Reg. No. 21,046), 
Stephen R. Smith (Reg. No. 22,615), Kurt E. Richter (Reg. No. 24,052), J. Robert Dailey (Reg. No. 27,434), 
Eugene Moroz (Reg. No. 25,237), John F. Sweeney (Reg. No. 27,471), Arnold I. Rady (Reg. No. 26,601), 
Christopher A. Hughes (Reg. No. 26,914), William S. Feiler (Reg. No. 26,728), Joseph A. Calvaruso (Reg. No. 
28,287), James W. Gould (Reg. No. 28,859), Richard C. Komson (Reg. No. 27,913), Israel Blum (Reg. No. 
26,710), Bartholomew Verdirame (Reg. No. 28,483), Maria C.H. Lin (reg. No. 29,323), Joseph A. DeGirolamo 
(Reg. No. 28,595), Michael P. Dougherty (Reg. No. 32,730), Seth J. Atlas (Reg. No. 32,454), Andrew M. Riddles 
(Reg. No. 31,657), Bruce D. DeRenzi (Reg. No. 33,676), Michael M. Murray (Reg. No. 32,537), Mark J. Abate 
(Reg. No. 32,527), Alfred L. Haffner, Jr. (Reg. No. 18,919), Harold Haidt (Reg. No. 17,509), John T. Gallagher 
(Reg. No. 35,516), Steven F. Meyer (Reg. No. 35,613) and Kenneth H. Sonnenfeld (Reg. No. 33,285), Tony V, 
Pezzano (Reg. No. 38,271), Andrea L. Wayda (Reg. 43,979) and Walter G. Hanchuk (Reg. No. 35,179) of Morgan 
& Finnegan, L.L.P. whose address is: 345 Park Avenue, New York, New York, 10154; and Michael S. Marcus 
(Reg. No. 31,727) and John E. Hoel (Reg. No. 26,279) of Morgan & Finnegan, L.L.P., whose address is 1775 Eye 
Street, Suite 400, Washington, D.C. 20006. 

□ I hereby authorize the U.S. attorneys and/or agents named hereinabove to accept and follow instructions 

from as ^ any action to be taken in the U.S. Patent and Trademark Office regarding this application 

without direct communication between the U.S. attorneys and/or agents and me. In the event of a change 
in the person(s) from whom instructions may be taken I will so notify the U.S. attorneys and/or agents 
named hereinabove. 



Full name of sole or first inventor Arjen K. Lenstra 
Inventor's signature* 

date 

Residence: c/o Citibank, N.A., 1 North Gate Rd, Mendham, NJ 07945-3 104 
Citizenship: United States 

Post Office Address: c/o Citibank, N.A., 1 North Gate Rd, Mendham, NJ 07945-3 104 



Full name of second inventor Eric R. Verheul 

Inventor's signature* 

date 

Residence: Goudsbloemstraat 14, 5644 KE Eindhoven, The Netherlands 
Citizenship: The Netherlands 

Post Office Address: Goudsbloemstraat 14, 5644 KE Eindhoven, The Netherlands 



□ ATTACHED IS ADDED PAGE TO COMBINED DECLARATION AND POWER OF ATTORNEY 
FOR SIGNATURE BY THIRD AND SUBSEQUENT INVENTORS FORM. 
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* Before signing this declaration, each person signing must: 

1 . Review the declaration and verify the correctness of all information therein; and 

2. Review the specification and the claims, including any amendments made to the claims. 



After the declaration is signed, the specification and claims are not to be altered. 



To the inventor(s): 

The following are cited in or pertinent to the declaration attached to the accompanying application: 
Title 37, Code of Federal Regulation, §1.56 
Duty to disclose information material to patentability 

(a) A patent by its very nature is affected with a public interest. The public interest is best served, and the 

most effective patent examination occurs when, at the time an application is being examined, the Office is 
aware of and evaluates the teachings of all information material to patentability. Each individual 
associated with the filing and prosecution of a patent application has a duty of candor and good faith in 
dealing with the Office, which includes a duty to disclose to the Office all information known to that 
individual to be material to patentability as defined in this section. The duty to disclose information exists 
with respect to each pending claim until the claim is canceled or withdrawn from consideration, or the 
application becomes abandoned. Information material to the patentability of a claim that is canceled or 
withdrawn from consideration need not be submitted if the information is not material to the patentability 
of any claim remaining under consideration in the application. There is no duty to submit information 
which is not material to the patentability of any existing claim. The duty to disclose all information known 
to be material to patentability is deemed to be satisfied if all information known to be material to 
patentability of any claim issued in a patent was cited by the Office or submitted to the Office in the 
manner prescribed by §§1.97(b)-(d) and 1.98. However, no patent will be granted on an application in 
connection with which fraud on the Office was practiced or attempted or the duty of disclosure was 
violated through bad faith or intentional misconduct. The Office encourages applicants to carefully 
examine: 

(1) prior art cited in search reports of a foreign patent office in a counterpart application, and 

(2) the closest information over which individuals associated with the filing or prosecution of a patent 
application believe any pending claim patentably defines, to make sure that any material 
information contained therein is disclosed to the Office. 

Title 35, U.S. Code § 101 

Inventions patentable 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions 
and requirements of this title. 
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Title 35 U.S. Code § 102 



Conditions for patentability; novelty and loss of right to patent 



A person shall be entitled to a patent unless - 



(a) 



the invention was known or used by others in this country, or patented or described in a printed 
publication in this or a foreign country, before the invention thereof by the applicant for patent, 



(b) 



the invention was patented or described in a printed publication in this or foreign country or in 
public use or on sale in this country, more than one year prior to the date of application for patent 
in the United States, or 



(c) 



he has abandoned the invention, or 



(d) the invention was first patented or caused to be patented, or was the subject of an inventor's 
certificate, by the applicant or his legal representatives or assigns in a foreign country prior to the 
date of the application for patent in this country on an application for patent or inventor's 
certificate filed more than twelve months before the filing of the application in the United States, 
or 

(e) the invention was described in a patent granted on an application for patent by another filed in the 
United States before the invention thereof by the applicant for patent, or on an international 
application by another who has fulfilled the requirements of paragraphs (1), (2), and (4) of section 
371(c) of this title before the invention thereof by the applicant for patent, or 

(f) he did not himself invent the subject matter sought to be patented, or 

(g) before the applicant's invention thereof the invention was made in this country by another who 
had not abandoned, suppressed, or concealed it. In determining priority of invention there shall 
be considered not only the respective dates of conception and reduction to practice of the 
invention, but also the reasonable diligence of one who was first to conceive and last to reduce to 
practice, from a time prior to conception by the other . 

Title 35, U.S. Code § 103 

Conditions for patentability; non-obvious subject matter 

A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art 
are such that the subject matter as a whole would have been obvious at the time the invention was made to 
a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be 
negatived by the manner in which the invention was made. 

Subject matter developed by another person, which qualifies as prior art only under subsection (f) or (g) of 
section 102 of this title, shall not preclude patentability under this section where the subject matter and the 
claimed invention were, at the time the invention was made, owned by the same person or subject to an 
obligation of assignment to the same person. 
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Title 35, U.S. Code § 112 (in part) 



Specification 

The specification shall contain a written description of the invention, and of the manner and process of 
making and using it, in such full, clear, concise and exact terms as to enable any person skilled in the art to 
which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth 
the best mode contemplated by the inventor of carrying out his invention. 

Title 35, U.S. Code, § 119 

Benefit of earlier filing date in foreign country; right of priority 

An application for patent for an invention filed in this country by any person who has, or whose legal 
representatives or assigns have, previously regularly filed an application for a patent for the same invention 
in a foreign country which affords similar privileges in the case of applications filed in the United States or 
to citizens of the United States, shall have the same effect as the same application would have if filed in 
this country on the date on which the application for patent for the same invention was first filed in such 
foreign country, if the application in this country is filed within twelve months from the earliest date on 
which such foreign application was filed; but no patent shall be granted on any application for patent for an 
invention which had been patented or described in a printed publication in any country more than one year 
before the date of the actual filing of the application in this country, or which had been in public use or on 
sale in this country more than one year prior to such filing. 

Title 35, U,S. Code, §120 

Benefit or earlier filing date in the United States 

An application for patent for an invention disclosed in the manner provided by the first paragraph of 
section 1 12 of this title in an application previously filed in the United States, or as provided by section 
363 of this title, which is filed by an inventor or inventors named in the previously filed application shall 
have the same effect, as to such invention, as though filed on the date of the prior application, if filed 
before the patenting or abandonment of or termination of proceedings on the first application or an 
application similarly entitled to the benefit of the filing date of the first application and if it contains or is 
amended to contain a specific reference to the earlier filed application. 

Please read carefully before signing the Declaration attached to the accompanying Application. 

If you have any questions, please contact Morgan & Finnegan, L.L.P. 
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